Almost three weeks after the breach at one of Bank of America’s vendors that impacted more than 57,000 customers came to light, yet another third-party data breach affected customers of a premier financial institution – American Express. Vigilance over credit card activity is the need of the hour, not to mention a renewed focus on third-party risks.
·
Yet another third-party data breach
impacted customers of a premier financial institution.
·
New York-based American Express
Company’s customer data was exposed in the hack of one of its service
providers.
The
American Express Company notified customers that their card details may have
been exposed in a hack of one of its service providers. The latest incident
comes almost three weeks after the breach at one of Bank of America’s vendors
that impacted more than 57,000 customers came to light, highlighting the
prevalence of third-party risks.
American
Express’ data breach notification filing with the Massachusetts government
noted that the service provider “engaged by numerous merchants experienced
unauthorized access to its system.” Consequently, American Express Card account
numbers, names and expiration dates were exposed, although the company is mum
on the number of customers impacted.
“The
problem of service providers, who get successfully hacked, that then end up
causing a much larger data breach compromise is quite common,” Roger Grimes,
data-driven defense evangelist at KnowBe4, told Spiceworks News & Insights
over email. “Really, anyone with access to a system becomes an ingress point
for hackers.”
American
Express emphasized that company-owned or managed systems were not compromised.
The company didn’t disclose the name of the service provider breached or the
incident’s timeline.
“All
services must routinely take inventory of who has what type of access and
ensure that they are following recommended security guidelines. It also can’t
hurt to have data monitoring so that when a large amount of data begins to move
unusually, it can be reviewed, and if unauthorized, stopped as soon as
possible,” Grimes added.
According
to SecurityScorecard’s Global Third-Party Cybersecurity Breaches, 29% of all
breaches could be attributed to a third-party attack vector. Further, the
financial sector suffered the second-largest volume of third-party breaches
behind healthcare.
Unlike Bank of America, which
provided those impacted with a two-year membership for credit monitoring
services, American Express said it is “vigilantly” monitoring card activity
themselves. The financial services company also freed customers of any
liability for fraudulent charges on their accounts.
American
Express also advised customers to turn on notifications and to regularly review
account statements for the next 12 to 24 months.
Jeff
Margolies, Chief Product and Strategy Officer at cybersecurity company Saviynt,
told Spiceworks, “Protection of critical customer information is increasingly
reliant on identity security of both the enterprise, and their third-party
service providers. Enterprises with significant third-party relationships need
to understand the security risks imposed by their third parties through a
robust third-party risk program.”
https://www.spiceworks.com/it-security/data-security/news/american-express
0 comments:
Post a Comment