Although data breach notices went out to American Express customers who were involved on September 30th, this is not the typical breach where systems were accessed, or databases were obtained by an outside party. This breach involved an American Express employee acquiring customer information and using it for fraudulent attempts to open accounts at other financial institutions. Information that was accessed included full names, physical and billing addresses, Social Security numbers, birth dates, and the credit card number. American Express assures that this unnamed person does not work at the company any longer and is facing charges pending a criminal investigation. A portion of the statement released by American Express read, “We are aware of this issue. Ensuring the security of our customers’ information is our top priority, and we are investigating this matter in close partnership with law enforcement.” The company is also providing free credit monitoring in partnership with Experian Identity Works.
When considering defense against data breaches, companies should consider the controls they have to detect insider threat activity. Best practices include giving employees the least privilege or access to data needed to do their job, separation of duties with occasional rotation of duties between employees, and a good auditing plan. American Express customers who were affected should take advantage of the free credit monitoring service by using the code received in their breach notice email. It is also recommended that people keep a close eye on their credit report and report any suspicious or unauthorized activity to their respective financial institutions.