Update American Express has told the California Department of Justice that some of its customers had their credit card numbers stolen, and that it happened almost three years ago.

We're told Amex's security was not directly breached by criminals, rather its customers' details were leaked by a clumsy intermediary. The fact it took three years to confirm this is a little off.

"We became aware that a third-party service provider engaged by numerous merchants experienced unauthorized access to its system," American Express chief privacy officer Stefanie Ash said in a letter to customers, which was sent on March 10 and shared with the Cali DoJ.

"Account information of some of our card members, including some of your account information, may have been involved," Ash continued. "It is important to note that American Express owned or controlled systems were not compromised by this incident, and we are providing this notice to you as a precautionary measure."

Ash said American Express Card account numbers, cardholder's names, and other card information such as the expiration date, may have been compromised in the attack. The company said customers would not be liable for any fraudulent charges made due to the attack.

In the meantime, Amex recommends customers download its mobile app to keep an eye on their accounts and monitor their credit card statements closely. Presumably this means going back over payment details since December 2013, when the breach occurred.

"Especially in today's environment, we understand that your security is paramount," the letter says. "We are strongly committed to protecting the privacy and security of your information and regret any concern this may have caused you."

Quite why American Express kept this one quiet for so long isn't explained, but it's likely that a third-party merchant forgot its legal obligations to tell the payment giant. In any case, Amex has not responded to a request for comment on the matter. ®

Updated to add

Ashley Tufts, director of corporate affairs at American Express, got in touch with The Register after we published our story to stress the following:

I’ve learned today that the incident American Express reported to the California Attorney General on March 10 was not a breach of any American Express environment or service provider, but rather was a merchant breach. We inadvertently filed an incorrect version of the customer notice with the California Attorney General, which is being corrected. It's important to note that we sent the correct version of the letter to Card Members in California notifying them of a merchant breach. We sent the letter as a courtesy to our Card Members in California when we were made aware of the breach by the merchant this year. The letter to our Card Members includes information and resources that we hope they can use to protect their information.