Image by SimonQ錫濛譙

American Express has warned its customers that they may have had their personal information stolen during a data breach—which happened in 2013.


The company explained to California’s attorney general in a letter sent on March 10th that a merchant suffered a data breach. The first version of the letter sent to the attorney general incorrectly described the breach as occurring at a third-party provider. It explains that “account information of some of our Card Members, including some of your account information, may have been involved.”

The breach occurred on Saturday December 7th in 2013. American Express alerted customers as soon as it was made aware of the breach, and it doesn’t yet know why the merchant in question didn’t inform it earlier.


But don’t worry! Because American Express reassures everyone by adding that “it is important to note that American Express owned or controlled systems were not compromised by this incident.” Well, thank goodness for that.

The credit card company does say that it’s monitoring accounts for fraud. But given the time lags involved with owning up to the news, you’d probably be best served keeping an eye on your account yourself.

Update: This post a has been amended after American Express got in touch to tell us that the letter sent to California’s attorney general was actually incorrect. The data breach wasn’t of a third-party, but a merchant. That also accounts for the lag: American Express alerted customers as soon as it was made aware of the breach.

[DOJ via ThreatPost]