American Express is found to have major data flaws after an investigation by the Privacy Commissioner
October 17, 2025 |
One thing that is almost a given in data privacy law is that if the regulator starts investigating a discrete problem or data breach it will end up reviewing the entire entity’s operation and find problems worse than what it started looking at. Often the original problem ends up being a small fraction of the entity’s problem. And so it goes with American Express where the Privacy Commissioner found systemic failures with American Expresses security controls, potentially exposing more than a million cardholders to a privacy breaches. The initial complaint related to a customer complaining about a staff member spying on his personal financial information. It is reported in the Age story Sensitive personal information’: Leaked report reveals American Express security failures. What is unusual and reflects poorly on American Express is that two years ago the Age reported that the Australian Financial Complaints Authority found American Express had breached privacy laws when its employee accessed the complainant’s accounts on at least nine occasions without consent. Ironically the Privacy Commissioner’s interim report was leaked, not surprisingly, to the Age. That is quite unusual and is unlikely to impress the regulator or American Express.
Based on the article it appears that American Express does not track employee access to customer accounts across 78 per cent of its systems. This is a classic exposure to “insider threat” risks. It is surprising that American Express did not have the technology to restrict staff access to certain customer accounts. It cites operational complexity as a reason for not implementing those controls. This is of course nonsensical. Banks have long had such technology. Rogue or even just foolishly inquisitive employees who access accounts not related to their job are summarily dismissed a matter of rigid practice. American Express relied on internal policies and staff training to prevent misconduct. That should be part of the process but not the end of it. What was particularly disturbing is that staff with basic privileges based in Australia and overseas had “full and unfettered access” to the private information of Australian customers, which includes celebrities, politicians, politically exposed individuals and vulnerable people. This is quite extraordinary for a company of American Express’ size and profile and especially as it had an internal data breach revealed two years ago. Unfortunately this level of complacency is all too common for many other entities to give employees broad and sometimes unfettered access to personal information even where they have no need to access that data. Often companies do not log access so internal threats can’t be identified.
It is interesting to see American Express adopt a very assertive, perhaps even aggressive, public response to the findings by the Commissioner. That is rarely advisable but given Bunnings’ truculent response to the Privacy Commissioner’s finding regarding facial recognition it may be a sign of things to come regarding large companies. It may be because that the Commissioner is becoming more assertive and less inclined to the less enforcement orientated approach in the past.
It will be interesting to see the final determination. And American Express’ response to it. An appeal perhaps. Otherwise known as the Bunnings’ solution.
The article provides:
A confidential privacy watchdog investigation has found systemic failures with American Express’s technology security controls, exposing more than one million Australian cardholders to risks of privacy breaches, fraud, identity theft and physical harm.
The Office of the Australian Information Commissioner (OAIC) has been investigating American Express since March 2023 after a customer reported a man he briefly dated for using the company’s systems to unlawfully spy on his personal financial information.
American Express has long claimed the breach was limited to a “sole actor” and handled appropriately, but an interim report written by Privacy Commissioner Carly Kind has found systemic failures that affect most customers.
The explosive and confidential report, obtained by this masthead and disputed by American Express, found the financial giant has breached privacy laws, acted unreasonably, gave misleading information during regulatory investigations and has gaping holes in its technology security that require immediate fixing.
While the final determination is yet to be made, the OAIC’s most damning interim finding is that American Express is not tracking employee access to customer accounts across 78 per cent of its systems – breaching international standards and exposing customers to “insider threat” risks.
Kind’s report in the ongoing secretive investigation also found American Express did not have the technology to restrict staff access to certain customer accounts, even after problematic behaviour was detected – and instead relied heavily on internal policies and staff training to prevent misconduct.
This meant, Kind found, that staff with basic privileges based in Australia and overseas are granted “full and unfettered access” to the private information of Australian customers, which includes celebrities, politicians, politically exposed individuals and vulnerable people.
“The case highlights a vulnerability in the [American Express]’s privacy and data security settings in terms of staff having the ability to access personal information without a legitimate purpose, and for this conduct to go undetected.”
A spokesperson for American Express said these key findings were “demonstrably incorrect and will be covered in our formal submissions” and “appear to be based on incomplete information and inaccurate assumptions”.
“American Express does not accept the findings in the OAIC’s preliminary view,” the spokesperson said.
The spokesperson also defended American Express’s response to the initial privacy breach, stating the employee was disciplined and “additional measures were promptly implemented”.
“American Express continually evolves its processes, policies and systems, and remains committed to maintaining the highest standards of privacy and data protection.”
American Express sells credit cards and travel services to millions of people around the world. In Australia, the multibillion-dollar finance giant employs more than 1500 staff and had around 1.5 million cards in circulation as of 2023.
Kind’s report states American Express holds “granular detail” about the “habits, health information and movements” of its customers, which has the “potential to reveal information about an individual’s location and movements as well as other sensitive personal information”.
“There is the risk that a failure to protect personal information from those security risks may result in financial fraud, identity theft causing financial loss or emotional and psychological harm, family violence, physical harm or intimidation,” Kind found.
The revelations come as Qantas became the latest major company to be embroiled in a privacy scandal after hackers posted the personal information of 5.7 million customers onto the dark web, prompting national discussion around whether privacy regulation is fit for purpose.
The Australian Signals Directorate, the nation’s key cybercrime intelligence agency, released its annual report this week, finding cybersecurity incidents have increased 11 per cent year-on-year, and called for businesses to invest in “best-practice logging” and secure technology systems.
The OAIC regards the “insider threat” as a significant risk for companies holding sensitive information, where rogue employees use internal systems to access private information for malicious or financial purposes.
The interim report found that only 24 out of 112 of American Express’s technology systems track employee access to customer accounts, leaving 78 per cent exposed to insider threats. The lack of comprehensive tracking, Kind found, meant that American Express cannot “audit or enforce” its own policies because it has no “baseline visibility” of inappropriate access.
“Should these limitations remain unchanged, they may prevent the respondent from properly investigating and responding to privacy or security incidents affecting its systems in the future,” the interim report stated.
CyberCX chief strategy officer Alastair MacGibbon said monitoring and limiting staff access to private information was fundamental to ensuring compliance with the law and it was “problematic” if large companies did not have robust tracking.
“Insiders are the key to the privacy and security of organisations,” MacGibbon said. “If you can’t keep track of who has touched a record, it’s very hard to prevent misuse of information.
“In the old days, the HR team would have sensitive documents in a room with a locked door. What’s the equivalent of a locked door today? Monitoring staff access is standard practice. Just knowing you’re being tracked reduces the likelihood of someone doing something mischievous.”
MacGibbon said the more sensitive the information held by companies, such as financial or healthcare data, the greater the obligation to invest in technology and ensure systems were routinely updated.
“Data is a bit like nuclear material,” he said. “It’s useful if contained, dangerous if lying around.”
In the report, the Privacy Commissioner outlines plans to order American Express to implement both logging and access controls across five computer systems relevant to the complaint within six months so that it can track and limit staff access to customer information.
“In addition to these proposed declarations, as a matter of good privacy and information security practice, the respondent should consider ways to strengthen access controls across the other 107 systems containing the personal information of Australians,” it found.
American Express told the privacy watchdog that limiting staff access to customer accounts would “create additional operational complexity” – a position rejected by OAIC, which noted the company reported $1.5 billion in revenue in 2022.
“I am conscious that the implementation of such changes is a project that may take some time,” Kind stated. “However, given the potential consequences of unauthorised access to personal information, particularly for high-profile or vulnerable individuals … I am not satisfied that the implementation of such controls was disproportionate to the risks involved.”
The privacy watchdog plans to order American Express to hire an independent reviewer to examine its broader policies to ensure compliance with privacy laws and report the findings within six months. In addition, Kind wants American Express to provide compensation and a written apology to the complainant, signed by a senior representative.
American Express was ordered to respond to the OAIC’s interim report by May 29, although progress on reaching a final determination has been hampered by disagreement over how to handle the complainant’s sensitive documents.
This masthead previously revealed that the Australian Financial Complaints Authority found American Express had breached privacy laws when its employee accessed the complainant’s accounts on at least nine occasions without consent, but determined American Express acted responsibly once the breaches were found.
The OAIC challenged this finding, stating the company’s actions were “concerning” and it provided inconsistent information during its investigation and has still not stopped the offending staff member, who remains employed at American Express, from accessing the complainant’s account.
“There remains a risk he may access it again,” Kind found. “I am of the preliminary view that during the relevant period, the totality of steps taken by the respondent were not reasonable in the circumstances to protect the personal information it held from misuse, interference and loss.”
Contacted for comment, a spokesperson for the OAIC confirmed the investigation was ongoing and said findings had not yet been made though it was seeking to “progress matters as expeditiously as possible”.
“The OAIC is required to maintain the confidentiality of information obtained in its investigations and we are unable to comment further on the details of this matter.”