American Express has put out a data breach advisory after third-party merchants experienced a hacking incident targeting its payment hardware, as reported by Bleeping Computer.
The financial services company detailed that the breach occurred in Massachusetts and is associated with an “American Express Travel Related Services Company.” It resulted in several merchants suffering “unauthorized access to its system.” Customers’ credit card information, including account numbers, names, and card expiration data, may have been exposed in the process.
“Account information of some of our Card Members, including some of your account information, may have been involved. It is important to note that American Express-owned or -controlled systems were not compromised by this incident, and we are providing this notice to you as a precautionary measure,” American Express said in a statement.
The company noted that it was the merchant processor, meaning the hardware that accepts payment, that was compromised, not a direct American Express service provider. Even so, customer data is potentially circulating the dark web, after having been accessed by hackers. American Express has not publicly shared specifics on how many customers were affected when the breach took place or what merchant processor was hacked.
The incident is reminiscent of the Wiseasy hack in 2022, in which the Android-based payment system popular in the Asia-Pacific region was compromised and 140,000 payment terminals were affected globally. The payment terminals are used in restaurants, hotels, retail outlets, and schools. However, it was not clear whether Wiseasy notified its customers about the hack.
American Express said it has begun to investigate the matter, in addition to alerting the required regulatory authorities and impacted customers.
The company told BleepingComputer that customers should review their account statements closely for the next 12 to 24 months, making sure to report any suspicious activity. The institution does not hold card members responsible for any fraudulent purchases.
Other recommendations include enabling instant notifications through the American Express mobile app, which allows users to review their purchases and receive instant fraud alerts. Card members also have the option to request a new card number, in the event that their information is stolen.