No guarantees AMEX has learnt lesson from security breach

The Australian Privacy Commissioner has found American Express Australia breached privacy law by failing to adequately protect a customer’s personal information from unauthorised internal access and then threatened the complainant with court action to ensure his silence on the details.

It follows years of lies, obfuscation and pushbacks by the company and delays and inaction by both the independent statutory agency promoting privacy and information access rights and a free independent ombudsman service that helps individuals and small businesses resolve disputes with financial firms.

Privacy Commissioner Carly Kind ordered American Express to rectify security flaws in five of its data systems to guard against “insider threats”, restrict employee access to specific customer information and provide a written apology to the customer who first brought the holes in its data security to the regulator’s attention.

Kind called out the “evident deficiencies” in the company’s complaint handling process in the case, saying it cast doubt on its entire complaint handling system.

The man had fought a lone and heroic four-year battle to protect the privacy of millions of customers worldwide and force the company to acknowledge his privacy had been breached after he began to suspect an American Express employee he briefly dated in 2022 had monitored his card accounts.

He complained to the company. When that went nowhere he went to the Office of the Australian Information Commissioner, which referred the matter to the Australian Financial Complaints Authority. Immediately, AFCA requested a meeting with the company to confirm its employee no longer had access to the man’s account and the company’s response was swift ... and wrong.

“We confirm that the employee has no access to [the man]’s account,” Amex responded. The company maintained the line for months until it suddenly reversed course, admitted the breach and received a leave pass from AFCA.

Incredibly, AFCA deemed American Express had responded appropriately “in the circumstances”. The man went back to the OAIC and the Privacy Commissioner, who ultimately substantiated the years’ old complaint. However, she restricted her complete findings to the company and complainant. The public was only provided a website summary on Monday.

In a statement, American Express acknowledged the commission’s decision. “We take this matter seriously,” it said. “We are committed to protecting customer information and handling personal information responsibly, with privacy and data protection as important priorities. As we have d