After a merchant breach prompting American Express to warn customers that card member information may have been compromised, cardholders should take multiple steps to protect their sensitive data.

notice to customers filed with the Office of the Attorney General in California, Stefanie Ash, chief privacy officer (CPO), U.S. American Express Company, said that account numbers, names, expiration dates and other information could have been exposed. Amex said it was “vigilantly monitoring” accounts for fraudulent activity and asked customers to do the same. The notice said that customers could receive more than one letter about the incident if more than one account was affected.

“It is important to note that American Express owned or controlled systems were not compromised by this incident, and we are providing this notice to you as a precautionary measure,” Ash wrote.

The Amex notification filed with Ash's office initially attributed the breach to a third-party service provider, but a company spokeswoman told that an incorrect version of the notice was "inadvertently filed" with California AG. 

"The incident American Express reported to the California Attorney General on March 10 was not a breach of any American Express environment or service provider, but rather was a merchant breach," the spokeswoman said, noting that a correct version had been sent "to Card Members in California notifying them of a merchant breach." 

"We sent the letter as a courtesy to our Card Members in California when we were made aware of the breach by the merchant," she said. That letter "includes information and resources that they can use to protect their information." The company is in the process of filing a correct version of the notification with Ash's office.

UPDATE: This story has been updated to include a clarification by American Express that the breach occurred with a merchant not a third-party provider, as an incorrect version of the notification letter filed with the California AG had indicated.