The Australian Privacy Commissioner has found American Express Australia breached privacy law by failing to adequately protect a customer’s personal information from unauthorised internal access and then threatened the complainant with court action to ensure his silence on the details.
It follows years of lies, obfuscation and pushbacks by the company and delays and inaction by both the independent statutory agency promoting privacy and information access rights and a free independent ombudsman service that helps individuals and small businesses resolve disputes with financial firms.
Privacy Commissioner Carly Kind ordered American Express to rectify security flaws in five of its data systems to guard against “insider threats”, restrict employee access to specific customer information and provide a written apology to the customer who first brought the holes in its data security to the regulator’s attention.
Kind called out the “evident deficiencies” in the company’s complaint handling process in the case, saying it cast doubt on its entire complaint handling system.
The man had fought a lone and heroic four-year battle to protect the privacy of millions of customers worldwide and force the company to acknowledge his privacy had been breached after he began to suspect an American Express employee he briefly dated in 2022 had monitored his card accounts.
He complained to the company. When that went nowhere he went to the Office of the Australian Information Commissioner, which referred the matter to the Australian Financial Complaints Authority. Immediately, AFCA requested a meeting with the company to confirm its employee no longer had access to the man’s account and the company’s response was swift … and wrong.
“We confirm that the employee has no access to [the man]’s account,” Amex responded. The company maintained the line for months until it suddenly reversed course, admitted the breach and received a leave pass from AFCA.
Incredibly, AFCA deemed American Express had responded appropriately “in the circumstances”. The man went back to the OAIC and the Privacy Commissioner, who ultimately substantiated the years’ old complaint. However, she restricted her complete findings to the company and complainant. The public was only provided a website summary on Monday.
In a statement, American Express acknowledged the commission’s decision. “We take this matter seriously,” it said. “We are committed to protecting customer information and handling personal information responsibly, with privacy and data protection as important priorities. As we have done throughout the investigation, we will continue to work with the OAIC and take steps to address its recommendations.”
But there is no indication what, if any action, the company plans to take.
Commissioner Kind has kept secret what compensation she has awarded the complainant. Nor has she detailed wider security vulnerabilities she may have identified in other company data systems aside from the five at the centre of the complaint.
Her findings confirm systemic failures with American Express’s technology security controls, possibly exposing more than one million Australian cardholders to risks of privacy breaches, fraud, identity theft and physical harm.
Asked how the OAIC would enforce the commissioner’s determination, it directed the Herald to its website and a page that reads: the “commissioner may commence proceedings in the Federal Court or the Federal Circuit Court for an order to enforce a determination”. But it did not indicate if the commissioner was prepared to do just that.
In an era when American Express continues its remorseless global expansion and internet fraud looms increasingly as a part of daily lives, failing to come down hard on companies that break the law and protecting them from public scrutiny risks the creation of a culture of impunity among corporate Australia.
Jordan Baker sends a newsletter to subscribers each week. Sign up to receive her Note from the Editor.
From our partners
Read the full article here
