PYMNTS Intelligence Alternate Banner June 2024

American Express Notifies Customers of Data Breach at Third Party Used by Others

American Express has notified customers of a data breach at a third-party service provider that is used by many merchants.

The unnamed service provider “experienced unauthorized access to its system,” and account information of some American Express card members may have been involved, American Express said in a Notice of Data Breach that was filed in February with the Massachusetts Office of Consumer Affairs and Business Regulation.

“It is important to note that American Express owned or controlled systems were not compromised by this incident, and we are providing this notice to you as a precautionary measure,” American Express told its affected customers in the notice. “The incidents that you are inquiring about occurred at a merchant or merchant processor and were not an attack on American Express or an American Express service provider, as some media outlets have erroneously reported. Because customer data was impacted, American Express provided notice of the incidents to Massachusetts agencies and impacted customers who reside in Massachusetts.”

The company added that current or previously issued American Express Card account numbers, names, expiration dates and other card information may have been compromised.

“Please be assured we are vigilantly monitoring your account for fraud and, if it should occur, you are not liable for fraudulent charges on your account,” American Express said in the notice.

This news comes on the heels of several other data breaches. 

In February, LoanDepot said that a data breach that impacted the company in January, affecting 16.9 million customers. The breach occurred Jan. 3 through Jan. 5 and saw hackers acquire names or other personal identifiers in combination with Social Security numbers, the financial services company said in a Feb. 23 filing with the Office of the Maine Attorney General.

In December, Sony-owned video game studio Insomniac released a statement about a data breach that was discovered earlier that month. The company said the data stolen in the cyberattack included personal information belonging to Insomniac’s current employees, former employees and independent contractors. It also included early development details about a game the company is currently working on, Marvel’s Wolverine for PlayStation 5.

Also during December, Comcast said it had become aware of a data breach in which hackers stole the personal data of millions of customers of its cable and internet business Xfinity. The company said that during a routine cybersecurity exercise, Xfinity spotted suspicious activity, concluded that there had been unauthorized access to its system and notified law enforcement.