American Express data breach explained: things to know about a card data breach

In March 2024, American Express faced a security issue compromising the data of over 50,000 customers. Unauthorized parties gained access to names, card numbers, and expiration dates through a third-party vendor. The American Express data breach is a clear reminder that even large financial institutions remain vulnerable to cyberattacks, some of which occur because they’re reliant on third-party vendors. 

In this article, we’ll explore the timeline, scale and impact of the Amex breach, and discuss the steps you can take to reduce immediate risks and safeguard your personal information in the long run. 

What happened in the Amex data breach?

Timeline of the American Express data breach 2024

• Date(s) breach occurred: prior to February 26, 2024
• Date(s) breach reported: February 26, 2024
• Date(s) breach disclosed to the public: March 6, 2024

The Amex data breach first came to light on February 26, 2024, when the company filed a breach notification with the Massachusetts Attorney General’s Office. Several news outlets quickly confirmed the filing, and on March 4, BleepingComputer published a detailed report about the incident. According to Twingate, over 50,000 Amex customers may have been affected, although the exact number remains unknown.

Was Amex hacked directly?

The American Express data breach 2024 did not compromise the company’s internal systems. “It is important to note that American Express owned or controlled systems were not compromised by this incident,” the company stated in its official breach notification. Instead, the breach occurred through a third-party service provider engaged by numerous vendors, including American Express.

Understandably, this caused confusion as to why the incident was referred to as the “Amex breach,” even though Amex’s systems remained secure. There are two main reasons:

• The compromised data belonged to American Express cardholders.
• The affected customers received the official breach notification letters from American Express. 

Third-party provider involvement

The American Express data breach was traced to unauthorized access at a third-party service provider. However, neither the official breach notification nor subsequent news reports disclosed the vendor’s identity. As reported by Dark Reading: “The breach occurred through a provider frequently used by the company’s travel services division.”

This incident underscores the growing risk of third-party vulnerabilities across the financial services industry, where even large, well-resourced organizations are only as secure as their most vulnerable external partners. 

What data was exposed and why is this a problem?

As reported in the official notice of breach, exposed data includes:

• Names
• American Express card account numbers
• Expiration dates

Fortunately, there were no reports of more sensitive data compromised, such as CVV codes, Social Security numbers, or login credentials. However, even without access to full authentication details, significant risks remain.

Cybercriminals can cross-reference leaked payment data with personal information readily available on data brokers or social media, and build detailed digital dossiers on individuals. In the wrong hands, these profiles make fraud, id theft, and targeted phishing attacks far easier and more convincing. 

Impact on customers and user reactions to the American Express data breach

Like most major breaches, the American Express data breach caused a lot of confusion and frustration among customers. Social media quickly became flooded with user concerns, reports of unfamiliar charges, and discussions about fraud and potential class-action suits. 

Many users expressed distrust toward Amex over its refusal to name the third-party vendor involved. As one Reddit user put it, “If only one specific merchant is involved in the incident, why would they not tell us who the third party is? And why Visa/Mastercard were not involved?”

Others reported suspicious small charges on their accounts that could have been test transactions by cybercriminals. One Redditor shared, “I had a fraudulent change on my business Amex today. USD $8 to a company that sells eSIMS. I’m not in the US, and have never heard of that company. Apparently, lots of people get scammed by them. My guess is that, because of that breach early this year, numbers are circulating. I can imagine someone would test the number with a small amount like that before trying anything bigger”. 

Amex’s response: what they did (and didn’t do)

In its breach notice letters, American Express assured customers that it was carefully monitoring their accounts for fraud and would not hold them liable for any fraudulent charges. The company also provided security tips on how to set up real-time notifications and how to review account statements for any suspicious activity. Amex made no other statements about running forensic investigations or providing actionable support to victims of the breach.

The public concern raised after the breach is well understood–the breached data belonged to Amex customers despite the fact that the company claimed their systems remained uncompromised. Furthermore, they didn’t disclose the total number of affected customers. This lack of transparency in the company’s communication added concern. Nevertheless, no class-action suits have been filed so far.

What to do if you’re affected

Change your passwords

Create new, strong passwords for your email and your Amex account to prevent unauthorized access. Follow these tips to maintain strong password hygiene:

• Make your passwords long (16+ characters).
• Avoid using names, birthdays, and other personal details in your passwords.
• Use random combinations of uppercase and lowercase letters, numbers, and symbols.
• Create a unique password for every account.

Monitor your account for fraud

Enable real-time transaction alerts for your Amex account: in your Amex mobile app, navigate to the “Account” section, then “Notifications,” and enable alerts for different card activities. Also, check your Amex account statements weekly for any suspicious activity. If you notice a transaction you don’t recognize, immediately contact the Amex security team at 1-800-528-4800 (toll-free) or via a live chat from your account.

Freeze or replace your card

In case you notice any unfamiliar transactions in your Amex account or receive a real-time alert about suspicious activity, contact the Amex team to request a new card number and prevent criminals from performing more transactions. You can also freeze your credit report with the three major bureaus for better protection. 

How to protect yourself from future breaches

The American Express data breach is just one of many attacks targeting major financial institutions, including loanDepot, Truist Financial, Fidelity Investments, Mr. Cooper Group, Chase Bank, and others. Breaches like these highlight the need for well-rounded security measures to protect your personal information. The following steps can help you prepare for future security incidents and minimize their impact.

Use unique passwords and secure apps

• Maintain good password hygiene by never using the same passwords across different accounts. Reusing passwords makes it easier for hackers to gain access to multiple accounts if just one password is compromised.
• Use a password manager to automatically generate strong, unique passwords and store them securely. 
• Use authenticator apps to create one-time codes and add an extra layer of security to your accounts.

Know the signs of a scam

Criminals use many forms of phishing and online scams to trick you into revealing personal information and knowing how to recognize them can protect you:

• Don’t click on unfamiliar links or download suspicious attachments.
• Carefully check emails and messages for correct sender credentials. Spoofed emails often change just one letter or number in sender names, email addresses, phone numbers, and website URLs to impersonate trusted senders.
• Be cautious with login and payment pages and don’t enter your personal details unless you are confident that you are on a legitimate site.
• Stay suspicious. If something feels off, trust your instincts and don’t engage.

Reduce your personal information exposure

Breaches often expose partial but sensitive data. Thus, the American Express card data breach exposed details like card numbers, expiration dates, and full names. While this information alone may not be enough to commit fraud, additional personal details available on the public web can easily fill the gaps. Cybercriminals can pull your name, address, phone number, and email from people-search sites and public records, then compile everything into detailed profiles and exploit them for criminal purposes.

The best way to limit the damage after a breach is to reduce your personal information exposure. The less information criminals can find about you, the harder it is for them to successfully target you.

How Onerep protects your privacy and keeps your data out of reach

Onerep helps individuals and families protect their privacy by finding, removing, and monitoring personal information across 200+ people-search websites. By clearing your sensitive data from these public directories, we make it much harder for cybercriminals to connect breached information to your real-world identity.

Here’s how Onerep keeps your data away from prying eyes:

• We scan the web to find where your personal information is exposed.
• We scrub your data and don’t stop until it’s fully deleted, verifying each removal.
• We monitor continuously, scanning over 200 sites every month. If your information reappears, we remove it again.
  

FAQs

Was American Express hacked in 2024?

In 2024, Amex experienced a security incident that breached partial payment data of allegedly over 50,000 cardholders. Despite direct involvement of Amex’s customer data, the company stated that their owned or controlled systems were not compromised and the incident occurred through a third-party merchant processor. However, Amex never disclosed the name of the involved service provider.

How do I know if my Amex card was exposed?

First of all, check your inbox for an official data breach notification letter from American Express. If you haven’t received one, you can also set up Amex account alerts and check your financial statements to be able to detect any suspicious activity. Additionally, you can use monitoring tools like HaveIBeenPwned to check if any of your credentials have been found in data breaches.

Is it safe to continue using American Express after a breach?

Yes, you can continue using your Amex account and cards after the breach. However, even if the company’s own systems were not directly compromised, it’s important to be aware of potential risks and become more vigilant about your account activity.

Here’s what you can do to continue using your card with no risk:

• Set new, strong passwords to your email and Amex account.
• Enable real-time notifications about transactions and regularly monitor your account for suspicious activity.
• Contact American Express to replace your old card number that has been allegedly breached or put a security freeze with the three major bureaus for greater protection.
• Educate yourself on common online scams to be able to recognize them and make sure you don’t give your personal information to frauds.

Can I remove my info from the web if it was leaked?

The answer to this question depends on the situation. Most of your personal information can be removed from the internet using a multi-step approach.

You can start by manually deleting any information you shared yourself, for example, in social media posts or public websites.

The information that was published by others without your consent can be removed through direct contact with site administrators. 

Finally, you can also remove your information from data brokers and people-search websites. and an opt-out request. Doing this manually will require time and patience. However, you can use services like Onerep to automatically check over 210 people-search websites, identify where your information is listed, and request its removal. After you do this, the information that has been removed from data broker websites will also disappear from Google, reducing your online exposure.