American Express notifies card holders of third-party breach more than 2 years late


American Express said that an unidentified third-party service provider used by merchants experienced a breach that may have exposed account information on card holders, according to a notification letter that American Express filed with the California Attorney General's Office.

The account information included account number, name and card expiration data and other confidential information.

The company stressed that no American Express-owned or -controlled systems were breached.

The breach occurred way back in December 2013, according to the California Attorney General's Office. No reason was provided for the extraordinary delay in notifying customers, and no estimate of the number of people affected was given.

"This breach is another example of a broken chain of custody with confidential data. AMEX protects it, but then relinquishes control to another party that has weak controls, which the bad actors know how to exploit," commented Bill Blake, president of security firm Fasoo.

"This is exactly why a 'persistent security' approach needs to be employed, one where a file can only be accessed a limited number of times on specific PCs, and if someone tries to steal the file, it can't be opened," he added.

Stephen Boyer, co-founder and CTO of Security Ratings firm BitSight, commented on finance industry breaches in general: "History has shown that attackers only have to exploit a single weakness, while defenders have little room for error. Finance is highly targeted but also has the most resources and the most sophisticated capabilities to detect, respond and recover."

For more:
- check out the notification letter

Related Articles:
Physician, heal thyself
Home Depot to pay $19.5M settlement for world's largest card breach
Seagate 'whaling' delivers thousands of employee W-2s to identity thieves