Payment card provider American Express Company is warning customers that their credit card details may have been exposed following a breach involving a third-party provider.

The details were first revealed in a filing with the State of Massachusetts, with a form letter sent to affected customers stating that a third-party service provider “engaged by numerous merchants experienced unauthorized access to its system.” The breach resulted in account information of American Express members, including names, card numbers and expiry dates, potentially being compromised.

Surprisingly, American Express did not then tick off a standard data breach response, which would typically include credit monitoring and details of what they were doing. Instead, the letter simply states that customers should “be assured we are vigilantly monitoring your account for fraud and, if it should occur, you are not liable for fraudulent charges on your account.”

The name of the third-party company that was breached or the form of the attack has also not been disclosed. A spokesperson for American Express did provide some additional details to Bleeping Computer today, saying that it has begun an investigation and notified appropriate regulatory authorities as required. “We [will] also work to identify impacted customers and understand the specific impacts and then notify them as required by applicable laws and regulations,” the spokesperson added.

The scant details provided by American Express did not go unnoticed. Claude Mandy, chief evangelist of data security at data security posture management company Symmetry Systems Inc., told SiliconANGLE that “the most disappointing aspect of this breach is the lack of detail — particularly over how the incident was detected and the scale of the compromise.”

“Although further details are hopefully forthcoming, this is indicative of similar third-party compromises in the payments industry,” Mandy explained. “The service provider often has insufficient logging and monitoring capability to determine what data was compromised, let alone whether the breach occurred. As a result, these types of breaches are identified by the advanced fraud analytics capabilities used by payment companies like American Express that pinpoint which merchant and service provider in their network has a high prevalence of fraud after a breach to alert them of the compromise.”

A company suffering from a third-party breach is sadly far too common, with Joseph Carson, chief security scientist and advisory chief information security officer at access management provider Delinea Inc. “This incident is a strong reminder of the dependencies many organizations have on third-party providers, meaning that security is only as strong as the security protections those third parties have put in place to protect the data and privileged access,” he said.

Photo: Daniel Foster/Flickr