Third-party breach leads to American Express customer data compromise
Payment card provider American Express Company is warning customers that their credit card details may have been exposed following a breach involving a third-party provider.
The details were first revealed in a filing with the State of Massachusetts, with a form letter sent to affected customers stating that a third-party service provider “engaged by numerous merchants experienced unauthorized access to its system.” The breach resulted in account information of American Express members, including names, card numbers and expiry dates, potentially being compromised.
Surprisingly, American Express did not then tick off a standard data breach response, which would typically include credit monitoring and details of what they were doing. Instead, the letter simply states that customers should “be assured we are vigilantly monitoring your account for fraud and, if it should occur, you are not liable for fraudulent charges on your account.”
The name of the third-party company that was breached or the form of the attack has also not been disclosed. A spokesperson for American Express did provide some additional details to Bleeping Computer today, saying that it has begun an investigation and notified appropriate regulatory authorities as required. “We [will] also work to identify impacted customers and understand the specific impacts and then notify them as required by applicable laws and regulations,” the spokesperson added.
The scant details provided by American Express did not go unnoticed. Claude Mandy, chief evangelist of data security at data security posture management company Symmetry Systems Inc., told SiliconANGLE that “the most disappointing aspect of this breach is the lack of detail — particularly over how the incident was detected and the scale of the compromise.”
“Although further details are hopefully forthcoming, this is indicative of similar third-party compromises in the payments industry,” Mandy explained. “The service provider often has insufficient logging and monitoring capability to determine what data was compromised, let alone whether the breach occurred. As a result, these types of breaches are identified by the advanced fraud analytics capabilities used by payment companies like American Express that pinpoint which merchant and service provider in their network has a high prevalence of fraud after a breach to alert them of the compromise.”
A company suffering from a third-party breach is sadly far too common, with Joseph Carson, chief security scientist and advisory chief information security officer at access management provider Delinea Inc. “This incident is a strong reminder of the dependencies many organizations have on third-party providers, meaning that security is only as strong as the security protections those third parties have put in place to protect the data and privileged access,” he said.
Photo: Daniel Foster/Flickr
A message from John Furrier, co-founder of SiliconANGLE:
Your vote of support is important to us and it helps us keep the content FREE.
One click below supports our mission to provide free, deep, and relevant content.
Join our community on YouTube
Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.
THANK YOU