American Express Third-Party Data Breach Timeline
Date: 10 April 2024
American Express warned some of its cardholders last month that their data may have been compromised in a third-party breach. The New-York based company reported that one of its merchant processors became the victim of a cybersecurity incident. As a result, card information of many Amex users was stolen. We capture all the events from this incident in this American Express Third-Party Data Breach Timeline.
The growing interconnectivity of the business and digital world has made reliance on a network on third-party vendors and suppliers almost indispensable today. And while your partners can give a significant fillip to your business, its scale and agility, they also bring their own share of cybersecurity risks to the table. The recent American Express Data Breach is a case in point.
A cybersecurity incident at a Merchant Processor led to the Card Information of Amex users being stolen. While Amex hasn't announced the exact number of customers who were affected, the alarm bells that this incident rang were loud! That's because the American Express brand is typically associated with high standards of service and security.
We've covered exactly how this data breach unfolded, how Amex responded and the actions it took to protect its customers. As always, the idea isn't to highlight the victim or their plight. The goal behind creating these Cyber Attack Timelines is to educate you on the damaging consequences cybersecurity incidents can have on your business reputation and bottom-line. In this specific case, it is to underline the importance of third-party security, especially for financial entities as the new DORA regulations come into force in the EU next year.
Remember, our NCSC Assured Training in Cyber Incident Planning and Response covers the topic of third-party security in greater detail. It also teaches you how to prepare your response when a third-party vendor gets compromised and this directly impacts your business or its sensitive data. If you are particularly concerned about the security protocols of your supply chain or the data sharing contracts you have with them, invest in a Third Party Security Assessment conducted by expert cybersecurity consultants.
Topics covered in the American Express Third-Party Data Breach Timeline:
1. The Incident
2. The Impact on Customers & the Business
3. Actions Taken by Amex and the Government
The Incident - American Express Data Breach
- March 04, 2024: BleepingComputer reported that in a data breach notification filed (on Feb 26, 2024) with the state of Massachusetts under "American Express Travel Related Services Company," the company warned customers their credit cards may have been stolen. AmEx said: “Protecting the security of our Card Members’ information is very important to us and we strive to let you know about security concerns as soon as possible. We became aware that a third party service provider engaged by numerous merchants experienced unauthorised access to its system”.
- March 04, 2024: American Express advised customers to review their account statement over the next 12 to 24 months and report any suspicious behaviour. BleepingComputer reported that the company also suggested to customers to enable instant notifications via the American Express mobile app to receive notifications about fraud alerts and when purchases are made.
- March 04, 2024: Cybersecurity Dive said systems owned or controlled by American Express were not compromised by the data breach as per the February 26 customer notice template filed with the Massachusetts office. According to Cybersecurity Dive’s findings, the late February incident was one of 16 reported to the Massachusetts office by Amex or its affiliate, American Express Travel Related Services Company, in January and February.
- March 04, 2024: According to Dark Reading, the CEO and co-founder of Eureka Security, Liat Hayun, said in an emailed statement: "The recent data breach impacting American Express customers, coming just weeks after similar incidents at Bank of America, underscores the critical need for organisations to hold their service providers accountable for data security. Lessons from past breaches highlight the importance of robust access controls, as this incident likely stemmed from unauthorised system access".
- March 04, 2024: As per CyberNews’ report, Hayun said: “Lessons from past breaches highlight the importance of robust access controls,”. “While mapping access points for sensitive data can be complex, it's a crucial security measure that organisations must prioritise in alignment with their overall business objectives and compliance requirements,” she said.
The Impact on Amex and its Customers
- March 04, 2024: Several news publications confirmed that the incident was not caused by a data breach at American Express, but rather at a merchant processor in which American Express Card member data was processed.
- March 04, 2024: BleepingComputer’s report said the breach led to customers' American Express Card account numbers, names, and card expiration data being accessed by the hackers and it was unclear how many customers were impacted, what merchant processor was breached, and when the attack occurred.
- March 04, 2024: Cybersecurity Dive said overall, about 1,300 Massachusetts customers were supposedly impacted, the state document showed, though it wasn’t clear if there was overlap in the figures. An Amex spokesperson said in an email: “This incident resulted from a point of sale attack at a merchant processor in which American Express card member data was impacted. A courtesy notice of this incident was provided to the Massachusetts regulators due to impacts to American Express card members residing in Massachusetts”.
- March 04, 2024: According to Security Affairs, BlackFog CEO and founder Darren Williams said in an emailed comment: “The potential impact of the American Express data breach is not yet known, as it is unclear whether customers’ data was simply accessed or if it has been exfiltrated through the third-party provider. If the sensitive data of customers, including card numbers and expiration dates, has been exfiltrated by attackers, it can be used to not only make fraudulent purchases, but also to extort customers into further payments.”
Actions taken by Amex and the Government
- March 04, 2024: BleepingComputer asked American Express for more information about the breach, and it was apparently told that they do not disclose details of their business relationships and merchant partners and had no further information to share at this time.
- March 04, 2024: According to BleepingComputer, American Express did say that they have notified the required regulatory authorities and are alerting impacted customers. The organisation said: "When we learn about a data security incident that impacts our customers, we promptly begin an investigation and notify the appropriate regulatory authorities, as required. We also work to identify impacted customers and understand the specific impacts, and then notify them as required by applicable laws and regulations.”
- March 04, 2024: American Express also told BleepingComputer that if a cardmember's credit card is used to make fraudulent purchases, customers would not be responsible for the charges.