American Express Notifies Cardholders of Third-Party Breach

American Express has begun notifying cardholders that their data may have been compromised in a third-party breach.

American Express has begun notifying cardholders that their data may have been compromised in a third-party breach.

A notification letter filed on March 10 with California’s attorney general indicates that AmEx account numbers, user names and other information including expiration dates may have been accessed.

“We became aware that a third party service provider engaged by numerous merchants experienced unauthorized access to its system. Account information of some of our Card Members, including some of your account information, may have been involved,” American Express chief privacy officer Stefanie Ash said in the letter. “It is important to note that American Express owned or controlled systems were not compromised by this incident, and we are providing this notice to you as a precautionary measure.”

Ash said that American Express is monitoring accounts for fraud, and asks its customers to do the same with their statements.

American Express did not say how many records were accessed, nor did it identify the third party, or how the partner was compromised. The type of data accessed or stolen can be used in a number of fraudulent activities, or sold online in a cybercrime forum.

Credit card breaches have fallen off the radar since a brutal 12-month stretch starting in December 2013 during which Target, Home Depot, Michaels and other large retailers and payment processors suffered large breaches.

Third parties were to blame in some of the attacks, most notably Target, where attackers were able to exploit stolen credentials for a HVAC system tied to the retailer’s payment system. In other beaches, attackers were able to plant malware on point-of-sale systems and read credit card numbers before they were encrypted and sent to payment processors.

The move in the U.S. toward chip-and-PIN credit cards has eased the onslaught of breaches. Last October, there was a liability shift where the party causing a fraudulent transaction will be responsible for losses if chip-and-PIN is not part of the transaction.

Suggested articles