UPDATE
Editor's Note: This story was updated at 11:33 a.m. Mar. 5 to reflect a clarification by American Express.
Credit card giant American Express notified customers March 4 that a third-party merchant processor was hacked.
A breach notification American Express filed with the state of Massachusetts said that a "third-party service provider engaged by numerous merchants experienced unauthorized access to its systems."
American Express then told customers that while certain account information may have been exposed, they underscored that American Express-owned or controlled systems were not compromised by this incident.
"The incidents...occurred at a merchant or merchant processor and were not an attack on American Express or an American Express service provider, as some media outlets have erroneously reported," said American Express in a statement. "Because customer data was impacted, American Express provided notice of the incidents to Massachusetts agencies and impacted customers who reside in Massachusetts."
More scrutiny needed for 3rd-party providers
The most disappointing aspect of this breach is the lack of detail — particularly over how the incident was detected and the scale of the compromise, said Claude Mandy, chief evangelist, data security at Symmetry Systems.
While further details are hopefully forthcoming, Mandy said it’s indicative of similar third-party compromises in the payments industry.
“The service provider often has insufficient logging and monitoring capability to determine what data was compromised, let alone whether the breach occurred,” explained Mandy. “As a result, these types of breaches are identified by the advanced fraud analytics capabilities used by the payment companies like American Express that pinpoint which merchant and service provider in their network has high prevalence of fraud after a breach to alert them of the compromise. We expect that increasingly, organizations of all sizes will invest in modern data security capabilities to help detect and respond to unauthorized access to sensitive data, as well as proactively reduce their data risk.”
Piyush Pandey, chief executive officer at Pathlock, added that over the last few years, his team has seen a significant uptick in third-party data breaches. In this example, Pandey said there are multiple parties, or what we call “nth party” risk.
“This places a much greater emphasis on organizations to vet their third-parties during onboarding to minimize access risk,” said Pandey. “Organizations must also ensure that the third-party partners of the third-parties they are doing business with are assessed for access risk. It should become part of standard third-party contracts to specify breach response responsibilities. Masking data to provide only what is absolutely needed by third parties to provide services must become a best practice.”
Emily Phelps, director at Cyware, said third-party financial data breaches are widespread in part, because of the intrinsic value of financial data and the complexity of their supply chains.
“Threat actors exploit third-party vendors that may have less sophisticated security controls than the larger institutions they seek to access,” explained Phelps.
Liat Hayun, co-founder and CEO at Eureka Security, added that the recent data breach impacting American Express customers, coming just weeks after similar incidents at Bank of America, underscores the critical need for organizations to hold their service providers accountable for data security.
“Lessons from past breaches highlight the importance of robust access controls, as this incident likely stemmed from unauthorized system access,” said Hayun. “While mapping access points for sensitive data can be complex, it's a crucial security measure that organizations must prioritize in alignment with their overall business objectives and compliance requirements.”