What the American Express Data Breach Should Teach the C-Suite

On September 30, American Express sent letters to some of its cardholders, informing them that their personal information had been improperly accessed by a former employee, who apparently tried to use that data to open fraudulent accounts at other financial institutions. Amex has not disclosed how many accounts were compromised but told victims that their account numbers, addresses, dates of birth, and Social Security numbers had been stolen.

While the full scope of this crime is not yet clear, the implications are potentially serious, and not just for Amex. Incidents of data theft and mismanagement are on the rise—just days after the Amex story broke, Twitter found itself embroiled in its own user data scandal—and the costs are mounting.

These costs can take the form of lost revenue, lost customer trust, fines issued under new data privacy laws, and the increasing potential for credentials stolen in one attack to be used against other businesses.

Corporate titans such as American Express can weather the storm of a data breach, but SMBs can ill-afford the cost of a breach on their revenue and reputation. Yet despite the risks, many SMBs drastically underestimate the cost of a breach. According to AppRiver's Q3 Cyberthreat Index for Business Survey, 67% of respondents estimated a breach would cost less than $25,000. In reality, the average cost is $149,000.

Executives in every industry should take note of this breach and use it as an opportunity to examine their own data security. With that in mind, let’s take a look at what we know about the American Express data theft, how businesses can protect themselves from employee malfeasance, and the potential for stolen data to lead to further breaches

The Facts (So Far) about the Amex Breach

According to American Express, the employee accused of using cardholder data for identity theft no longer works for the company and is under investigation by law enforcement.

In its letter, Amex assured victims that they won’t be liable for fraudulent charges and offered two years of free Experian identity monitoring. (Ironically, to use that service, victims must disclose their SSNs and addresses to Experian, and some customers may feel uncomfortable trusting that information to credit monitoring services in the wake of the Equifax breach.)

It bears mentioning that this isn’t the first time American Express customers have had their personal information compromised. However, this breach is somewhat unusual in that it isn’t the result of accidentally exposed data or a malicious intruder posing as a trusted third party but of an actual employee improperly accessing sensitive information.

How Businesses Can Protect Themselves from Employee Fraud

American Express hasn’t revealed whether the employee responsible for this breach had the appropriate credentials to access unencrypted customer data or how they copied that data for their personal use. Whatever the specific circumstances, identity professionals know the most effective tactics for deterring employee fraud are carefully controlling and monitoring access to sensitive data.

Cloud Identity and Access Management (IAM) is an effective way for cloud-based enterprises to manage access to resources. A good cloud IAM solution functions as a single, centralized resource for admins to grant access to data. With the flip of a switch, you can assign permissions based on what an employee needs for their current task and then revoke it when that task is completed, so valuable information is exposed as little as possible.

All cloud IAM solutions aren’t created equally, however, and you should look at one that lets you proactively keep an eye on employees and identify suspicious behavior. In its report on MFA for e-commerce, NIST specifically recommends that businesses “enable system-activity situational awareness by providing dashboards that display account lockout and authentication activity.”

Auth0’s dashboard gives you a comprehensive, bird’s-eye view of user behavior, including customers, third parties, and employees.

Using Auth0’s Rules, you can configure your dashboard to alert admins in the event of suspicious behavior, which you can define according to your needs. For example, you might want to be alerted if an employee continually tries to access sensitive resources unrelated to their work or logs in from a new device or at an unusual time of day.

Guarding against the Ripple Effects of Data Breaches

The American Express data breach is unlikely to be the last scandal involving credit card companies since they are such high-value targets for thieves. But executives across every industry should understand that breaches such as this don’t just harm the individual company involved; they threaten the entire e-commerce landscape.

Data breaches like this have a spillover effect since hackers often use data stolen in one breach to impersonate users on other sites, a type of attack known as credential stuffing. The best protection against this is multi-factor authentication (MFA). MFA requires users to prove their identity via means that are more difficult to fake than simple data, such as a fingerprint scan or a one-time code sent to a personal device.

Auth0’s MFA comes with the added security of breached password detection. Auth0 keeps a constantly updated collection of breached credentials and alerts users if their login information may have been compromised.

Don’t Be the Next Casualty of an Amex-Style Breach

For executives, there are already valuable lessons to be learned from the American Express data breach. However, those lessons are unlikely to comfort the victims of this breach or restore their faith in their credit card company. So for now, one truth about this attack is already abundantly clear: when it comes to customer data, it’s better to invest in vigilance than damage control.