Trending Articles

Featured Resources

Trending Topics

american express card hack shown by waiter holding card whilst details being stolen by hackers
American Express cardholders may need to take immediate action (image by Microsoft Designer AI)

That’ll do nicely: Hackers help themselves to American Express credit card data

It would appear that hackers didn’t have to leave home without it – they didn’t even have to own an American Express card to get their hands on card data.

The Chief Privacy Officer at American Express, Anneke Covell, has written to some AMEX cardholders to warn them their “current or previously issued American Express card account number, your name, and other card information such as the expiration date, may have been compromised”.

An American Express spokesperson has stated that there was no data breach “at American Express or at a service provider of American Express”. Instead, the security incident impacted the servers of a third-party merchant processor.

Just which processor remains unclear at this point in time, as do the numbers of AMEX customers whose data may have been compromised. It isn’t even known when the hack occurred, as this information hasn’t been released.

American Express credit card hack: notification letter

The customer letter has only surfaced because Massachusetts publicises privacy breaches and so published the disclosure.

The letter begins with the usual your-security-is-very-important-to-us statement, before confirming that “a third-party service provider engaged by numerous merchants experienced unauthorized access to its system”.

As well as assuring customers that it is “vigilantly monitoring your account for fraud,” Covell wrote, “if it should occur, you are not liable for fraudulent charges on your account”.

Expert response to AMEX credit card leak

Boris Cipot, a Senior Security Engineer at the Synopsys Software Integrity Group, told TechFinitive that “data owners must ensure that partnering companies treat the data securely and responsibly, similar to how it’s managed within our own systems. American Express, for instance, promptly notified affected users and authorities in response to a recent incident. However, preventing such incidents in the future remains a significant challenge.”

“If the sensitive data of customers, including card numbers and expiration dates, has been exfiltrated by attackers, it can be used to not only make fraudulent purchases but also to extort customers into further payments,” Darren Williams, CEO at BlackFog, said.

“All service providers who hold customer data should be investing in threat intelligence and anti-data-exfiltration technology to avoid attacks just like these.”

What American Express cardholders should do now

Meanwhile, Cipot advises that affected users should “monitor their card statements closely,” and that “replacing the card is a recommended preventive measure.”

Now that news of this data breach has emerged, there’s also now the opportunistic phishing threat to worry about.

“American Express users should remain vigilant against social engineering or phishing attacks,” Cipot concluded, “as stolen data can be exploited to gain victims’ trust and extract sensitive information. It’s crucial not to disclose any personal information via email or phone in such circumstances.”

Additional cybersecurity coverage

Avatar photo
Davey Winder

With four decades of experience, Davey is one of the UK's most respected cybersecurity writers and a contributing editor to PC Pro magazine. He is also a senior contributor at Forbes. You can find him at TechFinitive covering all things cybersecurity.

NEXT UP