American Express Customer Data Compromised in Third-Party Service Provider Breach


In a concerning development for financial security, American Express has announced that its customers’ credit card information has been compromised in a data breach. The breach occurred through a third-party service provider, marking another significant event in a series of financial data security breaches affecting major companies.

The Breach: A Closer Look

The Amex breach was disclosed in a notification filed with the state of Massachusetts, revealing that American Express’s own systems were not directly compromised. Instead, the vulnerability stemmed from a service provider used by the company’s travel services division, American Express Travel Related Services Company. Information at risk includes American Express card account numbers, names, and expiration dates. Customers with more than one American Express credit card exposed in the breach (and wondering “Did my credit card data get leaked?”) have been advised to expect follow-up contact from the company.

Response and Recommendations

American Express has urged affected customers to vigilantly monitor their accounts for fraudulent activity over the next 12 to 24 months and to enable notifications in the American Express Mobile app for real-time account activity updates. The company assured its customers that they would not be held liable for any fraudulent charges detected on their accounts.

Industry-Wide Concerns About Leaks

This data breach comes on the heels of a similar incident at Bank of America, where a ransomware attack on third-party provider Infosys McCamish Systems affected at least 57,028 customers. These breaches underscore the growing concerns around third-party vendor security within the financial sector.

The Underlying Issues

The lack of details regarding the Amex breach’s detection and the scale of compromise has been a point of criticism. Industry professionals highlight the need for better logging and monitoring capabilities among third-party providers to identify and respond to data compromises effectively. This incident highlights the broader issue of “nth party” risk, where the security vulnerabilities of one vendor can affect multiple parties down the supply chain.

Moving Forward

Experts argue for a multi-faceted approach to mitigate third-party risk, including rigorous vetting during onboarding, specifying breach response responsibilities in contracts, and adopting best practices like data masking. The aim is to minimize access risk and ensure that third-party partners adhere to high standards of data security.

Roger Grimes, Data-Driven Defense Evangelist at KnowBe4, commented: “The problem of service providers, who get successfully hacked, that then end up causing a much larger data breach compromise is quite common. Really anyone who has access to a system becomes an ingress point for hackers. That’s why all services must routinely take inventory of who has what type of access and ensure that they are following recommended security guidelines. It also can’t hurt to have data monitoring so that when a large amount of data begins to move in an unusual way it can be reviewed, and if unauthorized, stopped soon as possible.”


The American Express data breach is a stark reminder of the vulnerabilities present in the complex supply chains of financial institutions. As cyber threats continue to evolve, it becomes increasingly important for organizations to invest in advanced data security capabilities, enforce robust access controls, and proactively reduce their data risk. The financial industry must prioritize these efforts to safeguard sensitive customer information against unauthorized access and ensure the integrity of their operations in the digital age.


No posts to display