‘Sensitive personal information’: Leaked report reveals American Express security failures

A confidential privacy watchdog investigation has found systemic failures with American Express’s technology security controls, exposing more than one million Australian cardholders to risks of privacy breaches, fraud, identity theft and physical harm.

The Office of the Australian Information Commissioner (OAIC) has been investigating American Express since March 2023 after a customer reported a man he briefly dated for using the company’s systems to unlawfully spy on his personal financial information.

American Express has long claimed the breach was limited to a “sole actor” and handled appropriately, but an interim report written by Privacy Commissioner Carly Kind has found systemic failures that affect most customers.

The explosive and confidential report, obtained by this masthead and disputed by American Express, found the financial giant has breached privacy laws, acted unreasonably, gave misleading information during regulatory investigations and has gaping holes in its technology security that require immediate fixing.

While the final determination is yet to be made, the OAIC’s most damning interim finding is that American Express is not tracking employee access to customer accounts across 78 per cent of its systems – breaching international standards and exposing customers to “insider threat” risks.

Kind’s report in the ongoing secretive investigation also found American Express did not have the technology to restrict staff access to certain customer accounts, even after problematic behaviour was detected – and instead relied heavily on internal policies and staff training to prevent misconduct.

This meant, Kind found, that staff with basic privileges based in Australia and overseas are granted “full and unfettered access” to the private information of Australian customers, which includes celebrities, politicians, politically exposed individuals and vulnerable people.

“The case highlights a vulnerability in the [American Express]’s privacy and data security settings in terms of staff having the ability to access personal information without a legitimate purpose, and for this conduct to go undetected.”

A spokesperson for American Express said these key findings were “demonstrably incorrect and will be covered in our formal submissions” and “appear to be based on incomplete information and inaccurate assumptions”.

“American Express does not accept the findings in the OAIC’s preliminary view,” the spokesperson said.

The spokesperson also defended American Express’s response to the initial privacy breach, stating the employee was disciplined and “additional measures were promptly implemented”.

“American Express continually evolves its processes, policies and systems, and remains committed to maintaining the highest standards of privacy and data protection.”

American Express sells credit cards and travel services to millions of people around the world. In Australia, the multibillion-dollar finance giant employs more than 1500 staff and had around 1.5 million cards in circulation as of 2023.

Kind’s report states American Express holds “granular detail” about the “habits, health information and movements” of its customers, which has the “potential to reveal information about an individual’s location and movements as well as other sensitive personal information”.

“There is the risk that a failure to protect personal information from those security risks may result in financial fraud, identity theft causing financial loss or emotional and psychological harm, family violence, physical harm or intimidation,” Kind found.

The revelations come as Qantas became the latest major company to be embroiled in a privacy scandal after hackers posted the personal information of 5.7 million customers onto the dark web, prompting national discussion around whether privacy regulation is fit for purpose.

The Australian Signals Directorate, the nation’s key cybercrime intelligence agency, released its annual report this week, finding cybersecurity incidents have increased 11 per cent year-on-year, and called for businesses to invest in “best-practice logging” and secure technology systems.

The OAIC regards the “insider threat” as a significant risk for companies holding sensitive information, where rogue employees use internal systems to access private information for malicious or financial purposes.

The interim report found that only 24 out of 112 of American Express’s technology systems track employee access to customer accounts, leaving 78 per cent exposed to insider threats. The lack of comprehensive tracking, Kind found, meant that American Express cannot “audit or enforce” its own policies because it has no “baseline visibility” of inappropriate access.

“Should these limitations remain unchanged, they may prevent the respondent from properly investigating and responding to privacy or security incidents affecting its systems in the future,” the interim report stated.

CyberCX chief strategy officer Alastair MacGibbon said monitoring and limiting staff access to private information was fundamental to ensuring compliance with the law and it was “problematic” if large companies did not have robust tracking.

“Insiders are the key to the privacy and security of organisations,” MacGibbon said. “If you can’t keep track of who has touched a record, it’s very hard to prevent misuse of information.

“In the old days, the HR team would have sensitive documents in a room with a locked door. What’s the equivalent of a locked door today? Monitoring staff access is standard practice. Just knowing you’re being tracked reduces the likelihood of someone doing something mischievous.”

MacGibbon said the more sensitive the information held by companies, such as financial or healthcare data, the greater the obligation to invest in technology and ensure systems were routinely updated.

“Data is a bit like nuclear material,” he said. “It’s useful if contained, dangerous if lying around.”

In the report, the Privacy Commissioner outlines plans to order American Express to implement both logging and access controls across five computer systems relevant to the complaint within six months so that it can track and limit staff access to customer information.

“In addition to these proposed declarations, as a matter of good privacy and information security practice, the respondent should consider ways to strengthen access controls across the other 107 systems containing the personal information of Australians,” it found.

American Express told the privacy watchdog that limiting staff access to customer accounts would “create additional operational complexity” – a position rejected by OAIC, which noted the company reported $1.5 billion in revenue in 2022.

“I am conscious that the implementation of such changes is a project that may take some time,” Kind stated. “However, given the potential consequences of unauthorised access to personal information, particularly for high-profile or vulnerable individuals … I am not satisfied that the implementation of such controls was disproportionate to the risks involved.”

The privacy watchdog plans to order American Express to hire an independent reviewer to examine its broader policies to ensure compliance with privacy laws and report the findings within six months. In addition, Kind wants American Express to provide compensation and a written apology to the complainant, signed by a senior representative.

American Express was ordered to respond to the OAIC’s interim report by May 29, although progress on reaching a final determination has been hampered by disagreement over how to handle the complainant’s sensitive documents.

This masthead previously revealed that the Australian Financial Complaints Authority found American Express had breached privacy laws when its employee accessed the complainant’s accounts on at least nine occasions without consent, but determined American Express acted responsibly once the breaches were found.

The OAIC challenged this finding, stating the company’s actions were “concerning” and it provided inconsistent information during its investigation and has still not stopped the offending staff member, who remains employed at American Express, from accessing the complainant’s account.

“There remains a risk he may access it again,” Kind found. “I am of the preliminary view that during the relevant period, the totality of steps taken by the respondent were not reasonable in the circumstances to protect the personal information it held from misuse, interference and loss.”

Contacted for comment, a spokesperson for the OAIC confirmed the investigation was ongoing and said findings had not yet been made though it was seeking to “progress matters as expeditiously as possible”.

“The OAIC is required to maintain the confidentiality of information obtained in its investigations and we are unable to comment further on the details of this matter.”

Start the day with a summary of the day’s most important and interesting stories, analysis and insights. Sign up for our Morning Edition newsletter.