If you're one of its 140 million cardholders around the globe, American Express wants you to know that your data is safe. The data breach recently announced by the U.S.' second largest credit card network reportedly involved a partner merchant and not Amex itself. However, if you're one of the customers whose credit card and personal information was stolen, the difference is negligible.
On March 10th, 2016, Amex submitted this breach notification to the California Department of Justice stating that some of its customers were victims of a previously unannounced 3 year old data breach. The security compromise—which involved a third-party merchant and not Amex's systems—may have resulted in the theft of account numbers, cardholders' names, expiration dates, among others. Amex has stated that customers will not be held responsible for any resulting credit card transactions from the breach.
The following is an excerpt from the notification issued by Amex chief privacy officer Stefanie Ash:
"Account information of some of our Card Members, including some of your account information, may have been involved. It is important to note that American Express owned or controlled systems were not compromised by this incident, and we are providing this notice to you as a precautionary measure."
In its filing with the California Attorney General, Amex apparently used an incorrect version of the data breach customer notice, which caused some confusion and extra paranoia around the incident. This prompted Amex director of corporate affairs Ashley Tufts to issue the following clarification:
"I’ve learned today that the incident American Express reported to the on March 10 was not a breach of any American Express environment or service provider, but rather was a merchant breach. We inadvertently filed an incorrect version of the customer notice with the California Attorney General, which is being corrected. It's important to note that we sent the correct version of the letter to Card Members in California notifying them of a merchant breach."
Critical details around the data breach like which third-party merchant was breached and why it took Amex so long to inform its customers are still unknown.
Responsible Disclosure Or Hot Potato Toss?
While it's admirable of Amex to issue notifications about data breaches occurring downstream (e.g., involving a third-party or merchant networks), the degree of responsibility shared by the credit card issuer is certainly debatable—at least in the eyes of the consumer. For unwitting data breach victims, resolving issues with stolen credit card information usually happens with the issuer, not at the merchant level.
Indeed, measures like PCI-DSS were created by the four biggest credit card issuers—including Amex—to ensure that merchants and partners practice safe processing and management of customer credit card information. And when data breaches occur due to mishandling or negligence on the merchant's part, penalties and fines may ensue. Does this ultimately put credit card issuers on the hook when data breaches occur downstream, even when none of its own systems and environments were involved? Critical questions regarding downstream data breach liability are likely to surface as more details around the Amex partner compromise unfold in the weeks and months ahead.
The fact is that partner interdependence is critical for business in today's highly digitized economies. As the old adage goes, you're only as strong as your weakest link. Nowhere is this more true than in IT security—as in Target's case, cyber attackers often compromise corporate networks through partner connections and integrations. UpGuard's digital resilience platform not only performs internal/external scans of your environment for a strong security and compliance posture, its CSR risk grader and rating system is instrumental for determining how a third-parties' security posture could potentially impact your firm.