That’ll do nicely: Hackers help themselves to American Express credit card data
It would appear that hackers didn’t have to leave home without it – they didn’t even have to own an American Express card to get their hands on card data.
The Chief Privacy Officer at American Express, Anneke Covell, has written to some AMEX cardholders to warn them their “current or previously issued American Express card account number, your name, and other card information such as the expiration date, may have been compromised”.
An American Express spokesperson has stated that there was no data breach “at American Express or at a service provider of American Express”. Instead, the security incident impacted the servers of a third-party merchant processor.
Just which processor remains unclear at this point in time, as do the numbers of AMEX customers whose data may have been compromised. It isn’t even known when the hack occurred, as this information hasn’t been released.
American Express credit card hack: notification letter
The customer letter has only surfaced because Massachusetts publicises privacy breaches and so published the disclosure.
The letter begins with the usual your-security-is-very-important-to-us statement, before confirming that “a third-party service provider engaged by numerous merchants experienced unauthorized access to its system”.
As well as assuring customers that it is “vigilantly monitoring your account for fraud,” Covell wrote, “if it should occur, you are not liable for fraudulent charges on your account”.
Expert response to AMEX credit card leak
Boris Cipot, a Senior Security Engineer at the Synopsys Software Integrity Group, told TechFinitive that “data owners must ensure that partnering companies treat the data securely and responsibly, similar to how it’s managed within our own systems. American Express, for instance, promptly notified affected users and authorities in response to a recent incident. However, preventing such incidents in the future remains a significant challenge.”
“If the sensitive data of customers, including card numbers and expiration dates, has been exfiltrated by attackers, it can be used to not only make fraudulent purchases but also to extort customers into further payments,” Darren Williams, CEO at BlackFog, said.
“All service providers who hold customer data should be investing in threat intelligence and anti-data-exfiltration technology to avoid attacks just like these.”
What American Express cardholders should do now
Meanwhile, Cipot advises that affected users should “monitor their card statements closely,” and that “replacing the card is a recommended preventive measure.”
Now that news of this data breach has emerged, there’s also now the opportunistic phishing threat to worry about.
“American Express users should remain vigilant against social engineering or phishing attacks,” Cipot concluded, “as stolen data can be exploited to gain victims’ trust and extract sensitive information. It’s crucial not to disclose any personal information via email or phone in such circumstances.”
Additional cybersecurity coverage
NEXT UP
Slow buyers cause tech firms to rethink sales approaches as tough Q1 hits home
New research suggests tech sales were slow in Q1, with buyers of technology and professional services taking their time before committing to any solutions.
ByteDance says it has no plans to sell TikTok and refuses to bow to US pressure
ByteDance, the Chinese company that owns TikTok, stated that it “doesn’t have any plans to sell TikTok” on Toutiao, a social media platform that it also happens to own.
Solace Kidisil, Group COO of Nsano: “The difference between traditional finance and fintech is the questions we ask”
We interview Solace Kidisil, Group COO of Nsano, a fintech company from Ghana, offering digital payment solutions across Africa