American Express ordered to fix security gaps after customer was spied on

The privacy watchdog has ordered American Express to rectify security flaws in five of its data systems to guard against “insider threats” and to restrict employee access to specific customer information to protect vulnerable and high-profile customers.

Privacy Commissioner Carly Kind found the payments giant had “failed to implement appropriate, uniformly applied technical and organisational measures to address insider security risks posed by its staff”.

The failure was “particularly significant”, she said, “given AMEX was on notice of the need for uniform monitoring coverage across all frontline teams having experienced … [a] previous insider threat incident”.

She ordered American Express to issue a written apology to the customer who first brought the holes in its data security to the regulator’s attention and who has fought for four years for action to protect the privacy of millions of customers worldwide.

She also ordered the company to ensure a time-stamp log of entry is recorded when an employee accesses or takes action on a customer’s records across the five systems.

However, in a 14-page summary of her determination posted to the Office of the Australian Information Commissioner website on Monday, Kind did not specify what compensation she had awarded the complainant. Nor did she include details of any wider security weaknesses she may have identified in other company data systems aside from the five at the centre of the complaint.

Her preliminary view, made more than a year ago and obtained by this masthead, included the revelation that American Express could “neither audit nor enforce its policies about an employee’s access to personal information for 88 of its systems, that is, for 78 per cent of … [its] systems that hold the personal information of Australians”.

The matter has been dogged by delays including over whether the complainant should be obliged to provide a medical report to American Express to allow the company to make submissions on the size of the payout.

Complainant John Smith (not his real name) did not seek financial compensation and did not agree to his sensitive personal information being provided to American Express in circumstances where he had already alleged a breach of privacy.

The determination was also delayed by substantial submissions from American Express on how the report should be redacted. Kind ultimately decided to provide the full determination to both parties but post only a summary on the commission website, raising concerns that American Express will not be held publicly accountable.

The commission said full disclosure could harm individuals and create risks to American Express’ cybersecurity, as well as undermine the integrity of the complaints process.

But Smith said his chief concern was protecting the privacy of other cardholders and he was alarmed by the commissioner’s failure to release only a summary of the full determination.

“It is in the manifestly public interest for the privacy commissioner’s final determination to be made public,” he said. “There is no public interest in secrecy and cover-ups.

“I hold grave concerns that the public summary published by the privacy commissioner does not tell the full story.

“The public has a right to know about American Express’ breaches of my privacy and the serious risks it poses to others. I call on the commissioner to release the full 32 pages of her determination.”

Kind warned the parties last month not to make inferences about what might be in the final determination based on the preliminary report, and the parties are gagged from discussing or circulating the findings under threat of legal action. The Herald and The Age have not seen a copy of the final determination.

In a statement, American Express acknowledged the commission’s decision. “We take this matter seriously,” it said. “We are committed to protecting customer information and handling personal information responsibly, with privacy and data protection as important priorities. As we have done throughout the investigation, we will continue to work with the OAIC and take steps to address its recommendations.”

Amex said it would provide a written apology to Smith.

American Express was exposed to data breaches in 2019, when an employee wrongfully accessed customers’ account information in an apparent attempt to engage in fraud, and in 2023, when its Asia-Pacific employee data was accessed by an ex-employee based in India.

Be the first to know when major news happens. Sign up for breaking news alerts on email or turn on notifications in the app.