Skip to content

Unpacking the American Express Third-Party Breach


American Express recently issued a warning to its customers about a data breach. But before you panic, let’s dive into the details to understand what happened and what it means for cardholders and organizations.


The Breach

The breach occurred not within American Express itself, but at one of its service providers, specifically the one used by their travel services division, American Express Travel Related Services Company. It seems this provider got hacked, leading to unauthorized access to the system.


What got exposed? 

The exposure involved American Express Card account numbers, names, and card expiration dates. The scale of the breach, the specific service provider's name, and the exact timing of the attack have not been released yet.


American Express's Response

When prodded for more details, American Express did not reveal much about their business relationships or merchant partners. But they assured that they’ve looped in the necessary regulatory authorities and are in the process of alerting impacted customers.

They’ve also made it clear that if your card was used for fraudulent purchases, you wouldn’t be on the hook for those charges. 


Tips for Cardholders

So, what should you do if you’re one of the potentially affected customers? Here are a few pointers:


Stay Vigilant: Keep an eye on your account statements for the next 12 to 24 months for any suspicious activity.

Enable Notifications: Through the American Express mobile app, you can set up instant notifications to get alerts about fraud attempts and real-time purchase confirmations.

Consider a Card Refresh: If your card details were compromised, it might be wise to ask for a new card number. Better safe than sorry, as stolen card details often end up on the darker corners of the internet.


Tips for Organizations

Of course, this is just as concerning to cardholders as it is to other organizations. Here are some essential tips for companies looking to shield themselves from third-party breaches like this one:


Strengthen Vendor Management

Conduct Thorough Risk Assessments:

Before seeking out a new vendor, take the time to assess their security posture. This includes evaluating their data handling practices, security measures, and breach history.

Set Clear Security Expectations:

When drafting contracts, be explicit about your security requirements. Include clauses that obligate vendors to adhere to specific security standards and report any security incidents immediately.


Implement Monitoring Systems

Continuous Monitoring:

Keep a watchful eye on your third-party vendors’ security practices. Use tools that offer real-time insights into their security posture, ensuring they consistently meet your standards.

Audit Regularly:

Schedule periodic audits to verify compliance with agreed-upon security standards. These audits can be a mix of self-assessments, third-party audits, and on-site visits.


Culture of Security Awareness

Educate Your Team:

Make sure your employees understand the risks associated with third-party vendors. Regular training sessions can help staff recognize potential security threats and respond appropriately.

Collaborative Security Practices:

Encourage a culture where security is everyone’s responsibility. Facilitate open communication between departments to ensure swift action in the event of a third-party breach.


Develop a Comprehensive Incident Response Plan

Prepare for the Worst:

Have a well-documented incident response plan that includes procedures for dealing with third-party breaches. This plan should outline the steps to take, who to contact, and how to communicate during a security incident.

Test Your Response:

Regularly test your incident response plan through drills and simulations. This will help identify any weaknesses and ensure everyone knows their role in a crisis.


Leverage Technology to Your Advantage

Use Security Software:

Invest in security solutions that can monitor and analyze the traffic between your organization and your third-party vendors. Look for tools that can detect anomalies and block malicious activities.

Encrypt Sensitive Data:

Ensure that any sensitive data shared with third-party vendors is encrypted. This adds an extra layer of protection, making it more difficult for cybercriminals to access your information.


Wrapping Up

While it’s unsettling news, especially coming from a giant like American Express, it's a good reminder that we should stay proactive. For consumers, staying proactive means setting up credit monitoring and reviewing your card purchases regularly. For organizations, staying proactive means monitoring third-party apps and being prepared in case of a breach. Remember, in the case of data breaches, it's not a matter of if you will be breached, but a matter of when you will be breached.