--- Begin Message ---
[ Thanks to one active contributor who had no trouble accessing it, and
to another who reco'd I turn off Javascript - which did indeed work. ]
> ... American Express is not tracking employee access to customer
accounts across 78 per cent of its systems – breaching international
standards and exposing customers to “insider threat” risks.
> ... American Express did not have the technology to restrict staff
access to certain customer accounts, even after problematic behaviour
was detected – and instead relied heavily on internal policies and staff
training to prevent misconduct. ...
> ... staff with basic privileges based in Australia and overseas are
granted “full and unfettered access” to the private information of
Australian customers, which includes celebrities, politicians,
politically exposed individuals and vulnerable people.
These were requirements over 30 years ago.
This is from a 1992 presentation at an ICAC event:
https://www.rogerclarke.com/DV/PaperICAC.html#RTFToC16
> Cases in which persons who normally do have access, but who abuse
their position of trust, are more challenging to control. Nevertheless,
various possibilities exist; for example:
> - imposition of the requirement that individuals record a reason
for the access, or the identifier of the case on which they were working
(e.g. a file-number or transaction-number) (Prevention and Deterrence);
> - investigation of all accesses in which no identifier is provided
and of individuals who commonly access without providing an identifier
(Detection and Deterrence);
> investigation of a random sample of accesses (Detection).
>
> Finally, all of these measures require subsequent action. Breaches
must be detected. When a breach is detected, action must be taken to
deal with the offender, and to publicise the sanctions applied to the
offender, thereby achieving a deterrent effect on others.
‘Sensitive personal information’: Leaked report reveals American Express
security failures
Charlotte Grieve and Julie Lewis
The Sydney Morning Herald
October 15, 2025 — 5.45am
https://www.smh.com.au/business/banking-and-finance/sensitive-personal-information-leaked-report-reveals-american-express-security-failures-20251002-p5mzmr.html
A confidential privacy watchdog investigation has found systemic
failures with American Express’s technology security controls, exposing
more than one million Australian cardholders to risks of privacy
breaches, fraud, identity theft and physical harm.
The Office of the Australian Information Commissioner (OAIC) has been
investigating American Express since March 2023 after a customer
reported a man he briefly dated for using the company’s systems to
unlawfully spy on his personal financial information.
American Express has long claimed the breach was limited to a “sole
actor” and handled appropriately, but an interim report written by
Privacy Commissioner Carly Kind has found systemic failures that affect
most customers.
The explosive and confidential report, obtained by this masthead and
disputed by American Express, found the financial giant has breached
privacy laws, acted unreasonably, gave misleading information during
regulatory investigations and has gaping holes in its technology
security that require immediate fixing.
While the final determination is yet to be made, the OAIC’s most damning
interim finding is that American Express is not tracking employee access
to customer accounts across 78 per cent of its systems – breaching
international standards and exposing customers to “insider threat” risks.
Kind’s report in the ongoing secretive investigation also found American
Express did not have the technology to restrict staff access to certain
customer accounts, even after problematic behaviour was detected – and
instead relied heavily on internal policies and staff training to
prevent misconduct.
Speaking on the Today show, Age journalist Charlotte Grieve details how
millions of America Express customers were left at risk of privacy
breaches, fraud, identity theft and physical harm.
This meant, Kind found, that staff with basic privileges based in
Australia and overseas are granted “full and unfettered access” to the
private information of Australian customers, which includes celebrities,
politicians, politically exposed individuals and vulnerable people.
“The case highlights a vulnerability in the [American Express]’s privacy
and data security settings in terms of staff having the ability to
access personal information without a legitimate purpose, and for this
conduct to go undetected.”
A spokesperson for American Express said these key findings were
“demonstrably incorrect and will be covered in our formal submissions”
and “appear to be based on incomplete information and inaccurate
assumptions”.
“American Express does not accept the findings in the OAIC’s preliminary
view,” the spokesperson said.
The spokesperson also defended American Express’s response to the
initial privacy breach, stating the employee was disciplined and
“additional measures were promptly implemented”.
“American Express continually evolves its processes, policies and
systems, and remains committed to maintaining the highest standards of
privacy and data protection.”
American Express sells credit cards and travel services to millions of
people around the world. In Australia, the multibillion-dollar finance
giant employs more than 1500 staff and had around 1.5 million cards in
circulation as of 2023.
Kind’s report states American Express holds “granular detail” about the
“habits, health information and movements” of its customers, which has
the “potential to reveal information about an individual’s location and
movements as well as other sensitive personal information”.
“There is the risk that a failure to protect personal information from
those security risks may result in financial fraud, identity theft
causing financial loss or emotional and psychological harm, family
violence, physical harm or intimidation,” Kind found.
The revelations come as Qantas became the latest major company to be
embroiled in a privacy scandal after hackers posted the personal
information of 5.7 million customers onto the dark web, prompting
national discussion around whether privacy regulation is fit for purpose.
The Australian Signals Directorate, the nation’s key cybercrime
intelligence agency, released its annual report this week, finding
cybersecurity incidents have increased 11 per cent year-on-year, and
called for businesses to invest in “best-practice logging” and secure
technology systems.
The OAIC regards the “insider threat” as a significant risk for
companies holding sensitive information, where rogue employees use
internal systems to access private information for malicious or
financial purposes.
The interim report found that only 24 out of 112 of American Express’s
technology systems track employee access to customer accounts, leaving
78 per cent exposed to insider threats. The lack of comprehensive
tracking, Kind found, meant that American Express cannot “audit or
enforce” its own policies because it has no “baseline visibility” of
inappropriate access.
“Should these limitations remain unchanged, they may prevent the
respondent from properly investigating and responding to privacy or
security incidents affecting its systems in the future,” the interim
report stated.
CyberCX chief strategy officer Alastair MacGibbon said monitoring and
limiting staff access to private information was fundamental to ensuring
compliance with the law and it was “problematic” if large companies did
not have robust tracking.
“Insiders are the key to the privacy and security of organisations,”
MacGibbon said. “If you can’t keep track of who has touched a record,
it’s very hard to prevent misuse of information.
“In the old days, the HR team would have sensitive documents in a room
with a locked door. What’s the equivalent of a locked door today?
Monitoring staff access is standard practice. Just knowing you’re being
tracked reduces the likelihood of someone doing something mischievous.”
MacGibbon said the more sensitive the information held by companies,
such as financial or healthcare data, the greater the obligation to
invest in technology and ensure systems were routinely updated.
“Data is a bit like nuclear material,” he said. “It’s useful if
contained, dangerous if lying around.”
In the report, the Privacy Commissioner outlines plans to order American
Express to implement both logging and access controls across five
computer systems relevant to the complaint within six months so that it
can track and limit staff access to customer information.
“In addition to these proposed declarations, as a matter of good privacy
and information security practice, the respondent should consider ways
to strengthen access controls across the other 107 systems containing
the personal information of Australians,” it found.
American Express told the privacy watchdog that limiting staff access to
customer accounts would “create additional operational complexity” – a
position rejected by OAIC, which noted the company reported $1.5 billion
in revenue in 2022.
“I am conscious that the implementation of such changes is a project
that may take some time,” Kind stated. “However, given the potential
consequences of unauthorised access to personal information,
particularly for high-profile or vulnerable individuals … I am not
satisfied that the implementation of such controls was disproportionate
to the risks involved.”
The privacy watchdog plans to order American Express to hire an
independent reviewer to examine its broader policies to ensure
compliance with privacy laws and report the findings within six months.
In addition, Kind wants American Express to provide compensation and a
written apology to the complainant, signed by a senior representative.
American Express was ordered to respond to the OAIC’s interim report by
May 29, although progress on reaching a final determination has been
hampered by disagreement over how to handle the complainant’s sensitive
documents.
This masthead previously revealed that the Australian Financial
Complaints Authority found American Express had breached privacy laws
when its employee accessed the complainant’s accounts on at least nine
occasions without consent, but determined American Express acted
responsibly once the breaches were found.
The OAIC challenged this finding, stating the company’s actions were
“concerning” and it provided inconsistent information during its
investigation and has still not stopped the offending staff member, who
remains employed at American Express, from accessing the complainant’s
account.
“There remains a risk he may access it again,” Kind found. “I am of the
preliminary view that during the relevant period, the totality of steps
taken by the respondent were not reasonable in the circumstances to
protect the personal information it held from misuse, interference and
loss.”
Contacted for comment, a spokesperson for the OAIC confirmed the
investigation was ongoing and said findings had not yet been made though
it was seeking to “progress matters as expeditiously as possible”.
“The OAIC is required to maintain the confidentiality of information
obtained in its investigations and we are unable to comment further on
the details of this matter.”
--
Roger Clarke mailto:[email protected]
T: +61 2 6288 6916 http://www.xamax.com.au http://www.rogerclarke.com
Xamax Consultancy Pty Ltd 78 Sidaway St, Chapman ACT 2611 AUSTRALIA
Visiting Professorial Fellow UNSW Law & Justice
Visiting Professor in Computer Science Australian National University
--- End Message ---
_______________________________________________
apf-media-archive mailing list
[email protected]
https://lists.privacy.org.au/mailman/listinfo/apf-media-archive
