American Express Customer Data Exposed in Third-Party Vendor Data Breach

American Express has issued a notification to its customers regarding a data breach that occurred at a third-party services provider. The breach resulted in the exposure of certain customer information, as outlined in a letter sent to affected individuals and shared with the Massachusetts Office of Consumer Affairs and Business Regulation (OCABR).

According to American Express, the compromised data includes names, current and previous card account numbers, and associated details like expiration dates. Importantly, American Express asserts that its own systems were not compromised in the incident.

The company reassures customers that it is actively monitoring accounts for any signs of fraudulent activity and emphasizes that affected individuals will not be held responsible for unauthorized charges. Additionally, American Express offers recommendations for safeguarding personal and card information but does not provide specifics on how the breach occurred or the exact number of individuals impacted.

Recent reports from Massachusetts OCABR indicate that American Express has disclosed multiple third-party data breaches in recent weeks, involving various retailers and partners. In each incident, credit or debit card numbers were compromised.

Darren Williams, CEO and founder of BlackFog, expressed concern about the potential repercussions of the breach. He highlighted the uncertainty surrounding whether the accessed data was merely viewed or extracted by the attackers. If sensitive information such as card numbers and expiration dates were indeed exfiltrated, it could not only lead to fraudulent purchases but also potentially subject customers to extortion attempts.

This incident underscores the ongoing challenges faced by companies and consumers alike in protecting sensitive data in an increasingly interconnected digital landscape.