Financial services giant American Express has confirmed that a former employee has gained access to employee data after accidentally being given access to a third-party payroll company.
News of the data leak first started circulating on Instagram, when The Aussie Corporate account shared an anonymous message revealing the leak and its scope as part of a reel.
“Massive personal data breach at AMEX”, reads what looks to be a private message. “Asia Pacific employee data accessed by an ex-employee based in India.”
The data reportedly involves what the anonymous poster calls, “Everything you need to steal someone’s identity”, including bank account details, names and addresses, payment histories, and tax file numbers.
“Their entire APAC, employee base is affected,” the message says. “They have offered a service ‘free’ to the ex-employees impacted for services by RISQ and a company that helps to support you if your identity is stolen. It’s outrageous.”
Cyber Security Connect contacted American Express and confirmed there was an incident. However, Amex also confirmed that no payment data or bank details were accessed by the former employee and that only “certain colleagues” were impacted.
“We are aware of an incident involving a former American Express employee who was inadvertently granted access to employment-related information of certain colleagues based in our APAC region by a third-party payroll service provider,” Gerilyn A Cammaroto, vice-president of corporate affairs and communications at Amex, said via email.
“The privacy and security of our colleagues are a priority for American Express. Upon learning of the incident, we promptly began an investigation and notified the local regulatory authorities.”
Cammaroto also confirmed Amex has notified both “current and former colleagues”, and that they are being offered two years of identity theft protection.
“No American Express Card member data was impacted,” Cammaroto added.
However, the company did not disclose the number of employees affected, nor did it confirm the nature of the data exposed.
American Express India suffered a massive data breach in November 2018, thanks to an unsecured MongoDB server. Nearly 700,000 customer records were affected, with their names, addresses, and credit card details exposed for five days before a security researcher noticed the open server.
– Cyber Security Connect