American Express is notifying its customers that their credit cards have been exposed in a breach involving a third-party service provider.
In a data breach notification filed with the state of Massachusetts, the American bank holding company and financial services company notes that its systems were not compromised by the incident.
The breach instead occurred through a supplier frequently used by the company’s travel services division.
Credit card information such as account numbers, names and expiration dates on American Express cards is at risk, and users should expect follow-up contact from the company if they have more than one American Express card involved in the breach.
Anyone potentially affected should review their accounts periodically over the next 12-24 months for any fraudulent activity. Users should also enable notifications from the American Express Mobile app to stay updated on their account activity.
“The recent data breach affecting American Express customers, which occurred just weeks after similar incidents at Bank of America, highlights the critical need for organizations to hold their service providers accountable for data security,” he said Liat Hayun, CEO and co-founder of Eureka Security, in an emailed statement. “Lessons learned from past breaches highlight the importance of robust access controls, as this incident likely resulted from unauthorized access to the system.”
THE Bank of America hack what Hayun was referring to was a leak that occurred just last month after a ransomware attack breached one of its third-party vendors, Infosys McCamish Systems (IMS), affecting at least 57,028 customers. While IMS reported that it was unable to determine with certainty what information was compromised, it likely included sensitive material such as Social Security numbers, names, addresses, dates of birth and other private information.
American Express made suggestions in its letter to users to protect their information and assures that if users find fraudulent activity on their accounts, they will not be held responsible for those charges.