American Express customers exposed through third-party breach

American Express has written to customers warning that their account details may have been breached after a third-party supplier to various merchants reported unauthorised access to its systems.

Details emerged following a letter to regulators in the US state of Massachusetts. The credit card giant told customers that its own systems were not accessed and that the letter is a precaution.

In the letter to customers, vice-president Anneke Covell said: “We became aware that a third-party service provider engaged by numerous merchants experienced unauthorised access to its system.

“It is important to note that American Express-owned or -controlled systems were not compromised by this incident, and we are providing this notice to you as a precautionary measure,” added Covell.

American Express told customers that card account numbers, names and other information including expiration dates might have been compromised.

The company said it is monitoring accounts for fraud and told customers affected that they will not be liable for “fraudulent charges”. It did not give details of the number of customers potentially affected. It warned customers to review their accounts for potentially fraudulent activity.

One IT security expert in the UK financial services sector, who wished to remain anonymous, told Computer Weekly that breaches through third parties is one of the “hazards of an interlinked industry”.

“This is something that happens all over the financial services sector because its an interlinked industry. It is an ecosystem of linked companies moving money between each other, and data is shared. None of these companies can work on their own – they all have providers of various systems,” they said.

The expert added that hackers target the weakest links in  this ecosystem: “One third-party supplier will have their own third-party suppliers. There is a hierarchy of forms, and hackers are looking for the weak links, such as an administrative system 10 steps behind.

“The further away from the big brand, like American Express, hackers try to find weaker systems at third parties that are interlinked. It could be something that looks small and harmless, but hackers can get into more important systems this way.”

Recent figures from cyber intelligence platform SecurityScorecard found that around three-quarters of all recorded cyber security breaches that originated through a third party occurred after other entities in the victim’s software and technology supply chain were attacked.

Third-party breaches account for around 29% of all breaches recorded by SecurityScorecard in 2023, the data shows, although given significant underreporting of attack vectors, this is very likely a significant understatement of the true number.

“The supplier ecosystem is a highly desirable target for ransomware groups,” said SecurityScorecard senior vice-president of threat research and intelligence, Ryan Sherstobitoff. “Third-party breach victims are often not aware of an incident until they receive a ransomware note, allowing time for attackers to infiltrate hundreds of companies without being detected.”