Dive Brief:
- Card issuer American Express notified cardholders this month that their personal information may have been compromised due to a merchant processor being hacked.
- “We became aware that a third-party service provider engaged by numerous merchants experienced unauthorized access to its system,” the company wrote in a template notice to customers filed Feb. 27 with the Massachusetts Office of Consumer Affairs and Business Regulation. “Account information of some of our card members, including some of your account information, may have been involved.”
- A spokesperson for the New York-based company didn’t respond to questions about the number of Amex cardholders that may have been affected by the hack; what date the hack occurred; when the company became aware of the breach; when it notified customers about it; or what the name of the hacked merchant processor was.
Dive Insight:
Systems owned or controlled by American Express were not compromised by the data breach, said the Feb. 26 customer notice template filed with the Massachusetts office.
The late February incident was one of 16 reported to the Massachusetts office by Amex or its affiliate, American Express Travel Related Services Company, in January and February. Overall, about 1,300 Massachusetts customers were impacted, the state document showed, though it wasn’t clear if there was overlap in the figures.
“This incident resulted from a point of sale attack at a merchant processor in which American Express card member data was impacted,” an Amex spokesperson said in a Monday email. “A courtesy notice of this incident was provided to the Massachusetts regulators due to impacts to American Express card members residing in Massachusetts.”
Current or previously issued Amex card numbers, names and other card information such as expiration dates, may have been compromised, the notices said. Customers were informed their accounts are being monitored for fraud and, if fraudulent charges occur, customers are not liable, according to the notices.
American Express has monitoring systems and internal safeguards to help detect fraudulent and suspicious activity, the spokesperson noted. “We also recommend customers regularly review and monitor their account activity, and immediately contact us if they detect any suspicious activity,” the spokesperson said.
A November 2023 breach at an IT provider exposed the data of about 57,000 Bank of America customers, Banking Dive reported last month.
Such breaches “highlight the importance of robust access controls,” as the breach exposing Amex customer information likely stemmed from unauthorized system access, Liat Hayun, CEO and co-founder of Eureka Security, said in an email.