The Industry’s Only SaaS-Delivered Enterprise DLP

Our unique approach to DLP allows for quick deployment and on-demand scalability, while providing full data visibility and no-compromise protection.

No-Compromise Data Protection is:

  • Cloud-Delivered
  • Cross Platform
  • Flexible Controls

Digital Guardian's Blog

Employee Accessed, Abused Customer Data at American Express

by Chris Brook on Wednesday October 2, 2019

Contact Us
Free Demo

An employee - since terminated - at the financial services corporation is being investigated for fraud after accessing and stealing cardholder data.

One of the largest financial services companies in the U.S. is dealing with the repercussions of a data breach apparently caused by one of its employees.

American Express Company, the multinational financial services corporation that offers credit cards, personal savings accounts, insurance, and more, disclosed the news in a series of data breach notifications on Monday.

As is usually the case in the early goings of incidents like this, details on the breach, like when American Express became aware of it and how many individuals were implicated, are scant.

What is known is that one of its employees - since let go - wrongfully accessed cardholder data, including individuals' card number, physical and/or billing addresses, dates of birth, and Social Security numbers, and in some instances used it to open lines of credit at other financial institutions.

“It was brought to our attention that personal information, related to your American Express Card account listed above, may have been wrongfully accessed by one of our employees in an attempt to conduct fraudulent activity, including potentially opening accounts at other financial institutions.” reads a data breach notification issued by the company on Monday.

It's unclear when American Express became aware of the breach or if it had mitigations in place to prevent the exfiltration of customer data in the first place.

In a statement provided to Data Insider on Wednesday, American Express confirmed that the employee responsible for accessing the data is no longer an employee there and that its working with law enforcement to further investigate.

"We are aware of this issue. Ensuring the security of our customers’ information is our top priority, and we are investigating this matter in close partnership with law enforcement. We can tell you the person in question is no longer an employee of American Express. Given this is an active criminal investigation, we can’t provide any further comment."

According to the notification (.PDF) - a copy of which surfaced on the Montana Department of Justice website this week - the company is taking the usual steps following a breach, including offering identity theft protection. Of course, it's also encouraging victims to remain vigilant when it comes to reviewing their account for fraudulent activity.

While American Express isn't valued as much as JP Morgan Chase, Bank of America, or Wells Fargo, it's still a multi-billion dollar company - it made nearly $34 billion in 2017 – with nearly 60,000 employees.

This summer's massive Capital One breach and 2017's Equifax hack aside, data breaches at financial services firms have been commonplace, especially over the last several years. These breaches have translated to a higher cost of fraud related expenses over the years. A recent study carried out by LexisNexis found that each dollar of fraud cost $3.13 in additional expenses, up from $2.94 last year.

While it's too early to gauge exactly how the American Express employee was able to take cardholder data or whether there were safeguards in place the fact that it managed to occur in the first place should serve as a firm reminder for banks and financial services organizations to ensure there are data protection policies, not to mention encryption, and tightly regulated system access rules in place in order to better safeguard customer data in financial environments.

Tags: Industry Insights, Financial Services

Recommended Resources

  • The seven trends that have made DLP hot again
  • How to determine the right approach for your organization
  • Making the business case to executives
  • Why Data Classification is Foundational
  • How to Classify Your Data
  • Selling Data Classification to the Business

Chris Brook

Chris Brook is the editor of Data Insider. He is a technology journalist with a decade of experience writing about information security, hackers, and privacy. Chris has attended many infosec conferences and has interviewed hackers and security researchers. Prior to joining Digital Guardian he helped launch Threatpost, an independent news site which is a leading source of information about IT and business security for hundreds of thousands of professionals worldwide.