UPDATE: Amex warns of breach, cardholders should protect data
American Express warned customers of a merchant breach.
After a merchant breach prompting American Express to warn customers that card member information may have been compromised, cardholders should take multiple steps to protect their sensitive data.
A notice to customers filed with the Office of the Attorney General in California, Stefanie Ash, chief privacy officer (CPO), U.S. American Express Company, said that account numbers, names, expiration dates and other information could have been exposed. Amex said it was “vigilantly monitoring” accounts for fraudulent activity and asked customers to do the same. The notice said that customers could receive more than one letter about the incident if more than one account was affected.
“It is important to note that American Express owned or controlled systems were not compromised by this incident, and we are providing this notice to you as a precautionary measure,” Ash wrote.
The Amex notification filed with Ash's office initially attributed the breach to a third-party service provider, but a company spokeswoman told SCMagazine.com that an incorrect version of the notice was "inadvertently filed" with California AG.
"The incident American Express reported to the California Attorney General on March 10 was not a breach of any American Express environment or service provider, but rather was a merchant breach," the spokeswoman said, noting that a correct version had been sent "to Card Members in California notifying them of a merchant breach."
"We sent the letter as a courtesy to our Card Members in California when we were made aware of the breach by the merchant," she said. That letter "includes information and resources that they can use to protect their information." The company is in the process of filing a correct version of the notification with Ash's office.
To protect themselves, Fasoo President Bill Blake noted that as an Amex user, he's turned on immediate notification so he is alerted to purchases being made on his account, whether or not the card is presented. “Members can choose the amount limit on the transaction and the type of notification (text, email, etc.) It gives users immediate notification, as well as some level of peace of mind,” he said.
Blake recommended that cardholders request a new card, add two-factor authentication “to any financial websites or ones with personal information that support it” and, of course, change passwords in addition to monitoring their accounts for suspicious activity, placing fraud alerts on credit reports and creating “an Identity Theft Report with the Federal Trade Commission (FTC).”
UPDATE: This story has been updated to include a clarification by American Express that the breach occurred with a merchant not a third-party provider, as an incorrect version of the notification letter filed with the California AG had indicated.