American Express ordered to fix security gaps after customer spied on by staff

American Express has been ordered to overhaul its data security after a customer discovered an employee had spied on his private information — and the company couldn't even audit 78 per cent of its systems holding Australians' personal data.

Privacy Commissioner Carly Kind found the payments giant had “failed to implement appropriate, uniformly applied technical and organisational measures to address insider security risks posed by its staff”. She ordered American Express to fix five specific data systems, restrict employee access to sensitive customer info, and install time-stamp logs every time a worker accesses or changes a customer's records.

The ruling comes four years after the complainant, John Smith (not his real name), first reported the breach. He didn't want compensation — he just wanted the company to fix its security so other cardholders wouldn't be vulnerable. The case dragged on partly because American Express demanded Smith provide a medical report so it could argue about the payout amount. Smith refused, saying he wouldn't hand over sensitive info to a company he'd already accused of privacy breaches.

Kind's final determination runs 32 pages, but the public only gets a 14-page summary. The commissioner decided full disclosure could harm individuals and create cybersecurity risks. Smith isn't happy about that. “It is in the manifestly public interest for the privacy commissioner's final determination to be made public,” he said. “There is no public interest in secrecy and cover-ups.”

The parties are also gagged from discussing the full determination under threat of legal action, and the Herald and The Age haven't seen the final version. Smith called on Kind to release the whole thing.

This isn't American Express's first insider incident. In 2019, an employee wrongfully accessed customer accounts to try committing fraud. In 2023, a former employee in India accessed the company's Asia-Pacific employee data. So the company knew about insider threats — but Kind said its monitoring wasn't uniform across all frontline teams.

In a statement, American Express said: “We take this matter seriously. We are committed to protecting customer information and handling personal information responsibly, with privacy and data protection as important priorities. As we have done throughout the investigation, we will continue to work with the OAIC and take steps to address its recommendations.”

Kind's preliminary view from over a year ago had already revealed that American Express could “neither audit nor enforce its policies about an employee’s access to personal information for 88 of its systems, that is, for 78 per cent of … [its] systems that hold the personal information of Australians”. The final determination doesn't say whether she found weaknesses in other systems beyond the five.

American Express must now fix the five identified systems, put monitoring in place, and send Smith a written apology. The Office of the Australian Information Commissioner will enforce the orders. But with only a summary made public, customers won't know the full extent of the security holes — or whether other systems are still vulnerable. Smith's main worry is that other cardholders remain at risk, and he says the public has a right to know.