Payment card services provider American Express is notifying Amex card users and regulators of a third-party breach that exposed customer information.
In a notification letter filed with the Massachusetts Office of Consumer Affairs and Business Regulation (OCABR), American Express said it learned that a merchant processor was the victim of a data breach.
The New York-based company determined that the cybersecurity incident leaked payment account information, including credit card numbers.
Third-party breach leaked Amex card details
American Express said the third-party breach granted unauthorized entities access to customer information from a payment processor used by numerous merchants.
“We became aware that a third-party service provider engaged by numerous merchants experienced unauthorized access to its system,” said American Express.
The company determined that the third-party breach leaked sensitive customer data, including current or previously issued American Express card account numbers, names, and other card information such as the card expiration dates.
However, American Express stressed that its internal systems were not compromised during the third-party breach.
“It is important to note that American Express owned or controlled systems were not compromised by this incident, and we are providing this notice to you as a precautionary measure,” the company said.
Additionally, the company has implemented internal security measures to detect abuse and was “vigilantly monitoring” customers’ accounts.
“We have sophisticated monitoring systems and internal safeguards in place to help detect fraudulent and suspicious activity. If we see there is unusual activity that may be fraud, we will take protective actions,” the company said.
The financial services company also assured the impacted American Express Card Members that they were not “liable for fraudulent charges” incurred due to the third-party breach. Nevertheless, American Express customers should monitor and review their accounts for fraudulent activity, especially within the next 12-24 months.
Similarly, they should enable app, email, and text notifications on the American Express Mobile app to receive important account, transaction, and security alerts, change their account passwords and place card locks and credit freezes. To minimize the risk of abuse, customers should request new credit card numbers should theirs be compromised as a result of the third-party breach.
American Express has not disclosed the compromised payment processor’s identity or the number of customers impacted out of its more than 120 million Amex card users globally.
“The most disappointing aspect of this breach is the lack of detail – particularly over how the incident was detected and the scale of the compromise,” said Claude Mandy, Chief Evangelist, Data Security at Symmetry Systems. “Our thoughts go out to the compromised cardholders, who are left with the burden of monitoring for future fraud.”
Credit card data theft still lucrative
It also remains unclear if the compromised details have been leaked to underground carding forums, where each credit card costs about $10. However, stolen credit cards are sometimes leaked for free to promote other cybercrime services.
Credit card details are popular on the dark web marketplaces because they are readily exploitable and sell quickly. Consequently, credit card scraping via point-of-sale malware and digital skimming through Magecart attacks on e-commerce checkout pages remains a serious security challenge for retailers and consumers worldwide.
In 2023, the Federal Trade Commission received 1.036 million reports of identity theft, with 416,582 involving credit cards, highlighting the high prevalence of payment card data theft.
Between January 19 and March 7, 2024, American Express notified OCABR of 16 data breaches involving credit card numbers, affecting hundreds of Massachusetts residents. With many incidents impacting a single-digit number of customers, the pattern suggests point-of-sale attacks.
“This incident is a strong reminder of the dependencies many organizations have on third-party providers, meaning that security is only as strong as the security protections those third parties have put in place to protect the data and privileged access,” concluded Joseph Carson, chief security scientist and Advisory CISO at Delinea.