American Express Notifies Cardholders of Third-Party Breach

American Express has begun notifying cardholders that their data may have been compromised in a third-party breach.

American Express has begun notifying cardholders that their data may have been compromised in a third-party breach.

A notification letter filed on March 10 with California’s attorney general indicates that AmEx account numbers, user names and other information including expiration dates may have been accessed.

“We became aware that a third party service provider engaged by numerous merchants experienced unauthorized access to its system. Account information of some of our Card Members, including some of your account information, may have been involved,” American Express chief privacy officer Stefanie Ash said in the letter. “It is important to note that American Express owned or controlled systems were not compromised by this incident, and we are providing this notice to you as a precautionary measure.”

Ash said that American Express is monitoring accounts for fraud, and asks its customers to do the same with their statements.

American Express did not say how many records were accessed, nor did it identify the third party, or how the partner was compromised. The type of data accessed or stolen can be used in a number of fraudulent activities, or sold online in a cybercrime forum.

Credit card breaches have fallen off the radar since a brutal 12-month stretch starting in December 2013 during which Target, Home Depot, Michaels and other large retailers and payment processors suffered large breaches.

Third parties were to blame in some of the attacks, most notably Target, where attackers were able to exploit stolen credentials for a HVAC system tied to the retailer’s payment system. In other beaches, attackers were able to plant malware on point-of-sale systems and read credit card numbers before they were encrypted and sent to payment processors.

The move in the U.S. toward chip-and-PIN credit cards has eased the onslaught of breaches. Last October, there was a liability shift where the party causing a fraudulent transaction will be responsible for losses if chip-and-PIN is not part of the transaction.

Suggested articles


  • Keith on

    It's definitely time for chip and pin technology. The question is how secure is that technology? It seems like I've heard somewhere that the new technology is vulnerable as well. Let’s see how long the new era of credit card security actually lasts.
    • James McLaren on

      Chip and pin has two weaknesses. One is that there have been documented issues with the implementation of the EMV protocol (you want to check out for the full details). The other is that Chip and PIN is not designed for card not present transactions (eg over telephone or internet), and much of the fraud has migrated there instead.
  • James Paul on

    My amx card with chip was compromised and the account used in California while it remained in my wallet in Seattle. The chip appears to be a false sense of security.
    • Gnome de Plume on

      As implemented in the US? Yes. It is. We didn't really implement "chip and pin". We swapped swiping for chip and signature, which changes nothing at all. In other parts of the world, online transactions can require a code generated via a remote chip/pin terminal. You insert your card, enter your pin, and get a unique 6 digit number to enter online.
  • Hans on

    Title of the article should really be "Numerous credit card issuers notify of third party breach."
  • haste on

    Chip is perfectly secure for card present fraud (skimmers remaking fake cards with your data) and has no protection for card not present.
  • bitshuffler on

    if you expose your PIN, expect to get compromised at some point. chip or no chip.
  • Andrew David Stoneman on

    A few weeks in to a sixty day trip to Latin America MBNA informed me that they were blocking BOTH my MBNA Amex and Visa cards as my account was at risk of fraud. They subsequently told me that ONE set of card details MAY have been compromised at a retailer I had used the card at within the last 12-18 months (they refused to name the retailer) but were blocking BOTH cards as they are linked to the same account. It seems that this was for their own administrative convenience rather than to prevent fraud on the second card. They refused to ship a replacement card to Latin America leaving me high and dry. They have also refused to provide a written answer my complaint or provide transcripts of my calls. Instead they have sent me a series of three holding letters. Each of which has simply extended their self imposed deadline for providing a response (end of Feb to end of March to end of April). Had my bank (First Direct) not come to my rescue I would have been in dire straits and would have been stranded in Latin America without any money. I would therefore strongly advise any traveller on relying on one or more cards from a single company and would advise them to carry multiple cards from multiple companies! I would also advise anyone who is thinking of taking out a card from MNBA to think twice!

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.