American Express warns customers about third-party breach

In a notification letter dated March 10, American Express warns cardholders that their account information might’ve been exposed after a third-party service provider suffered a data breach.

“…Account information of some of our Card Members, including some of your account information, may have been involved. It is important to note that American Express owned or controlled systems were not compromised by this incident,” the letter states.

The third-party provider, which isn’t named, is engaged by several merchants the notification letter explains. Cardholders should expect that their account number, name, and other card details were compromised.

American Express says they are monitoring accounts for fraud, and that cardholders should do the same and report any suspicious transactions. If it isn’t already enabled, customers are also encouraged to use the transaction notifications, which will alert them each time the card is used.

The interesting aspect of this notification is that the incident being referenced by American Express happened on Saturday, December 7, 2013. It isn’t clear why the there was such a delay. American Express says the notification is just a precaution.

But why the wait?

Worst-case scenario, American Express hasn’t tracked any related fraud, but the incident at the provider actually went undetected for several years. That seems unlikely, but it’s possible.

According to the California Attorney General, this date is also the same day Affinity Gaming reported their data breach, which impacted card transactions at eleven casinos in four states.

In fact, 2013 had a number of large data breaches, including Target, multiple incidents at LinkedIn, Facebook, Tumblr, Twitter and Pinterest, Zendesk, Adobe, Living Socal, and Evernote.

Update: A point of clarification.

As a rule, American Express will issue alerts long after an incident if there are indications that cardholders were or could be exposed somehow. You can see examples of this in any of the notification search engines.

The company doesn’t discuss their anti-fraud measures, so why this happens isn’t clear, but it isn’t uncommon for them to alert cardholders of potential problems long after an incident has been made public.

Also, some incidents are known to the card brands themselves, but not the public.

But the date of the incident in question being referenced by this notice (December 7, 2013), as well as the wording on the source itself (“a third party service provider engaged by numerous merchants.”) is what stood out as something worth discussing.

The last time American Express issued a notification letter with a long gap was in November of 2015. In that case, the incident being referenced happened in 2008.

Update 2:

American Express just sent the following statement:

“The incident American Express reported to the California Attorney General on March 10 was not a breach of any American Express environment or service provider, but rather was a merchant breach. We inadvertently filed an incorrect version of the customer notice with the California Attorney General, which is being corrected.

“It’s important to note that we sent the correct version of the letter to Card Members in California notifying them of a merchant breach. We sent the letter as a courtesy to our Card Members in California when we were made aware of the breach by the merchant. The letter to our Card Members includes information and resources that they can use to protect their information.”