3/4/24: Article updated with further clarification from American Express that it was a merchant processor who was hacked, not one of their service providers.
American Express is warning customers that credit cards were exposed in a third-party data breach after a merchant processor was hacked.
This incident was not caused by a data breach at American Express, but rather at a merchant processor in which American Express Card member data was processed.
In a data breach notification filed with the state of Massachusetts under "American Express Travel Related Services Company," the company warned customers their credit cards may have been stolen.
"We became aware that a third party service provider engaged by numerous merchants experienced unauthorized access to its system," explains the data breach notification.
"Account information of some of our Card Members, including some of your account information, may have been involved. It is important to note that American Express owned or controlled systems were not compromised by this incident, and we are providing this notice to you as a precautionary measure."
The breach has led to customers' American Express Card account numbers, names, and card expiration data being accessed by the hackers.
It is unclear how many customers were impacted, what merchant processor was breached, and when the attack occurred.
When BleepingComputer asked American Express for more information about the breach, we were told that they do not disclose details of their business relationships and merchant partners and had no further information to share at this time.
However, American Express did say that they have notified the required regulatory authorities and are alerting impacted customers.
"When we learn about a data security incident that impacts our customers, we promptly begin an investigation and notify the appropriate regulatory authorities, as required," American Express told BleepingComputer.
"We also work to identify impacted customers and understand the specific impacts, and then notify them as required by applicable laws and regulations.
Furthermore, if a cardmember's credit card is used to make fraudulent purchases, American Express told BleepingComputer that customers would not be responsible for the charges.
American Express advises customers to review their account statement over the next 12 to 24 months and report any suspicious behavior.
The company also suggests customers enable instant notifications via the American Express mobile app to receive notifications about fraud alerts and when purchases are made.
Finally, if your card information was stolen, you may want to consider requesting a new card number, as it is common for threat actors to sell stolen credit cards on cybercrime marketplaces.
Comments
electrolite - 1 day ago
I have a better idea for American Express (and CC companies in general). How about they just send all the affected customers a new card every time a breach occurs. If it was law, they would have some incentive to have preventative measures in place instead of the usual 'Oh well, here slap my wrist' attitude.
Jesus9 - 1 day ago
Electrolite, I think you should read the article more carefully because it is a 3rd party processor that had data stolen which involved American Express cards. This means it's not American Express directly that was breached but the 3rd party processor.
I don't expect any reasonable response though.
electrolite - 1 day ago
You need to educate yourself before posting generic comments. Blaming a breach on a third party does not absolve American Express of blame. Secondly, go read up on PCI compliance. Credit card companies end up holding the PII, there was no merchant involved, so how can they not be responsible, they are the sole proprietor of that information. It looks like AE failed PCI compliance themselves!
And your point that AE is not to blame is like saying Facebook was not to blame for Cambridge Analytica scandal. Who paid the fine on that one?
Norrin-Radd - 8 hours ago
AMEX needs to issue new cards to all customers impacted at the expense of the Third-party vendor who lost the information.
If their contracts don't stipulate such, then AMEX needs to eat the cost and, on renegotiation, needs to add clauses to hold their vendors accountable.
There is no accountability anymore. Unless companies (AND PEOPLE) are held legally and fiscally responsible for data breaches they will continue to happen more an more often.
I would add that this includes customers holding companies accountable by switching to vendors with good security track records, but I don't even know if those truly exist anymore.