American Express Admits to Theft of Customer Data Three Years Late [Updated]

American Express has warned its customers that they may have had their personal information stolen during a data breach—which happened in 2013.


The company explained to California’s attorney general in a letter sent on March 10th that a merchant suffered a data breach. The first version of the letter sent to the attorney general incorrectly described the breach as occurring at a third-party provider. It explains that “account information of some of our Card Members, including some of your account information, may have been involved.”

The breach occurred on Saturday December 7th in 2013. American Express alerted customers as soon as it was made aware of the breach, and it doesn’t yet know why the merchant in question didn’t inform it earlier.

But don’t worry! Because American Express reassures everyone by adding that “it is important to note that American Express owned or controlled systems were not compromised by this incident.” Well, thank goodness for that.

The credit card company does say that it’s monitoring accounts for fraud. But given the time lags involved with owning up to the news, you’d probably be best served keeping an eye on your account yourself.

Update: This post a has been amended after American Express got in touch to tell us that the letter sent to California’s attorney general was actually incorrect. The data breach wasn’t of a third-party, but a merchant. That also accounts for the lag: American Express alerted customers as soon as it was made aware of the breach.

[DOJ via ThreatPost]


Contributing Editor at Gizmodo. An ex-engineer writing about science and technology.


Rule of personal finance: if you aren’t watching your accounts and balances you’re asking to be robbed.

But if there are erroneous charges on my Amex, it’s Amex’s problem so whatever.