Amex admits to data breach from employee trying to commit fraud
American Express (Amex) has sent a data breach notice to a portion of its customers, explaining their personal account information “may have been wrongfully accessed” by one of its employees “in an attempt to commit fraudulent activity”.
The letter from the US-based card provider, sent September 30, says its employee may have opened accounts at other financial institutions, compromising names, card numbers, billing addresses, dates of birth and social security numbers.
Amex says it “immediately” launched an investigation into the data breach in response, working with law enforcement agencies to find out who is behind it.
The card provider told customers affected to “stay vigilant” over the next 12 to 24 months, and to enable free fraud and account activity alerts on their Amex app.
As a peace offering, the multinational firm, which has $188 billion in assets, offered compromised customers a complimentary two-year membership of Experian IdentityWorks, which will help them detect future misuse of their personal data and immediately identify cases of theft or fraud.
Customers already paying for the service will get two years free added to their subscription.
Amex also assured customers whose information was exposed that they will not be held liable for any fraudulent charges.
When Infosecurity Magazine asked Amex for comment, it refused to say how many customers had been affected by the breach but did state that “only a small number of our customers were impacted.”
“I would note that this was not a breach of American Express’ systems and the person in question is no longer an employee of American Express,” the card provider revealed.