American Express has informed an undisclosed number of cardholders that their personal account information may have been compromised in a recent cyberattack on a third-party service provider used by multiple merchants.
In a notice filed last week with regulators in Massachusetts, the credit card giant stated that customer names, card numbers, and expiration dates for both current and previously issued American Express cards could potentially have been accessed by unauthorized parties.
“A vendor that processes transactions for many merchants experienced an unlawful breach of their systems,” said Anneke Covell, American Express’s Vice President of Privacy for the U.S. and American Express National Bank. “However, this incident did not directly impact any of American Express’s own systems or infrastructure.”
American Express stressed that the breach occurred at an outside payment processing company, not internally at American Express itself. The company has not named the specific vendor whose systems were hacked.
As a precaution, American Express said it is actively monitoring potentially affected accounts to detect any fraudulent charges or suspicious activity. The company reminded customers that they are not responsible for unauthorized transactions on their accounts.
In the regulatory notice, American Express urged customers to review statements carefully, sign up for alerts about potential fraud, and ensure their contact information is up-to-date. The company also provided a dedicated phone number for anyone who spots suspicious charges: 1-855-693-2213.
While American Express declined to disclose how many cardholders were impacted or the geographic scope of the breach, the company told CBS News that it notified regulators and affected customers in Massachusetts in accordance with the state’s data breach disclosure laws.
“Different regulations determine when financial institutions must report incidents, such as a breach at a retailer where the consumer used their credit card,” American Express explained, citing guidance from the Massachusetts government.
Data breaches at third-party vendors that process payments for multiple businesses are not unprecedented, but can be particularly damaging due to the vast number of consumers impacted across various merchants and financial services providers.
In 2019, Wawa convenience stores suffered a breach at a third-party provider used for payment processing, exposing over 30 million sets of payment records. And in 2013, criminals gained access to an external payroll service provider for dozens of companies, potentially exposing employee bank account and routing numbers.
For major financial firms like American Express, which frequently transmit sensitive customer data to external vendors, third-party cybersecurity lapses can present a serious risk that is often outside the company’s direct control.
While American Express maintains it was not directly hacked, this latest incident highlights the vulnerabilities large corporations can face from their dependence on external service providers and suppliers in the digital age.
As cybercriminals grow increasingly sophisticated, companies that process and store consumer financial data must remain vigilant against both internal and external threats to safeguard customer privacy.
