American Express – a provider of credit, travel, and other business and personal finance services –advised some customers on September 30, 2019 that their personal and American Express account information may have been compromised and may be used for fraudulent activity. While American Express has not released much in the way of specific information, they have noted that the activity in question revolves around the American Express Card and its customers. If you are contacted by American Express via email or phone, you should not accept the contact as valid; as fraud attempts are common after announcement of a breach. Instead, call American Express directly at 1 (800) 528-4800 or the number on the back of your card to confirm the claim.
Technical detail and additional information
What is the threat?
According to notifications from American Express, a former employee would appear to have successfully obtained customer data of customers of the American Express Card product line. This exfiltrated information appears to have been used to attempt or possibly undertake fraudulent activity. American Express notes only that “personal information” appears to have been exfiltrated, and that it appears that the exfiltration was to “conduct fraudulent activity.” This could mean attempted (or successful) identity theft, opening of credit and other financial accounts using fraudulently acquired information, or other forms of financial and identity fraud. At this time, it is not known how many customers had information exfiltrated or to what extent that data was used – successfully or unsuccessfully – in fraudulent actions.
Why is this noteworthy?
While data exfiltration is not an unusual event in general, exfiltration by current or former employees is less usual; as security controls are typically in place to monitor current employee activity and prohibit activity by former employees entirely.
What is the exposure or risk?
Credit card related personal information can be used to commit identity theft, open bank and credit accounts, or otherwise allow a threat actor to perform financial and other transactions as the victim. Without specific information on what data was exfiltrated in this breach, it is not possible to identify exactly which forms of fraud are possible; so victims should consider themselves at risk for any form of identity fraud until such time as full details are provided by American Express.
What are the recommendations?
- Establish policies and procedures to minimize or eliminate the potential for employees to steal data. While this is not directly related to the victim impact of the exfiltration event in question, the situation does highlight the need for all organizations to implement proper controls.
- Users should be cautioned to not take emails and/or phone calls related to this breach at face value, as many threat actors use breaches such as this to create opportunities to commit additional forms of fraud through phishing and vishing. Users should confirm notification by calling American Express directly via published and verified contact numbers – such as the contact number on the back of their American Express card.
- Confirmed victims should utilize standard consumer protections against identity theft and financial fraud. This includes credit monitoring services from reputable vendors and periodic review of credit reports for anomalous activity.
If you have any questions, please contact our Security Operations Center.