Rogue staff could access Amex customer data

American Express has been ordered to pay compensation and strengthen its privacy controls after Australia's privacy watchdog found weaknesses in its internal systems left customer data vulnerable to misuse by employees.

In a damning determination stemming from a 2022 complaint, the Office of the Australian Information Commissioner (OAIC) found Amex failed to take reasonable steps to protect personal information, with staff able to access customer accounts without sufficient technical restrictions or monitoring.

The regulator found that "the majority of its customers' data were exposed to privacy breaches from rogue employees", elevating the matter beyond a single privacy incident and highlighting what it described as a significant insider threat risk within the company's systems.

The findings, outlined in a 15-page report, conclude a long-running investigation that began after a customer, identified as 'BAM', alleged a former partner employed by Amex accessed his personal financial information without authorisation.

OAIC substantiated the complaint and ordered American Express to pay more than $23,000 in compensation, according to the ABC.

Sole actor or wider problem?

While the company has consistently maintained it acted appropriately and that the incident involved a "sole actor", the regulator concluded the case exposed broader shortcomings in the way customer information could be accessed internally.

In its most critical findings, OAIC said Amex's systems allowed inappropriate internal access to customer accounts and did not adequately restrict or monitor staff activity across the business.

Employees across the organisation could access customer information without sufficient technical barriers to ensure access was limited to legitimate business purposes.

"The case highlights a vulnerability in the [American Express] privacy and data security settings in terms of staff having the ability to access personal information without a legitimate purpose, and for this conduct to go undetected," the report said.

According to the determination, the company relied heavily on policies, procedures and employee training to discourage inappropriate behaviour.

However, OAIC found those measures were not enough on their own given the volume and sensitivity of personal information held by the organisation.

Prevent and detect

The regulator said technical safeguards should be designed not only to deter unauthorised access, but also to prevent and detect it.

"Technical safeguards must be robust enough to prevent and detect unauthorised access," the investigation concluded.

The determination found Amex had limited visibility over internal access patterns, meaning it could not consistently determine whether employees were accessing customer accounts for legitimate reasons or viewing information without authorisation.

It also pointed to deficiencies in logging and monitoring capabilities that limited the company's ability to identify suspicious activity in real time.

While the investigation did not uncover evidence of a broader privacy breach affecting customers, the regulator warned that weaknesses in internal controls could have consequences similar to those arising from an external cyberattack.

Inappropriate access

The findings reflect a growing focus among privacy regulators on internal governance and employee access controls rather than cybersecurity threats alone.

As organisations continue to accumulate vast quantities of customer information, regulators are increasingly examining who can access that data, under what circumstances, and what safeguards are in place to prevent misuse.

The case is likely to resonate beyond American Express, particularly among financial institutions and other organisations that handle large volumes of sensitive personal and financial information.

Privacy and security specialists have long warned that insider threats remain one of the most difficult risks for organisations to manage.

Unlike external attackers, employees often have legitimate access to systems and data, making misuse harder to detect without sophisticated monitoring, auditing and access-control mechanisms.

The OAIC's findings reinforce expectations that organisations must implement layered protections that combine policy settings with technical controls capable of detecting anomalous behaviour and restricting access where it is not required.

Sensitive information

For regulators, the matter also highlights the challenge of balancing transparency with the need to protect sensitive security information.

Parts of the OAIC's determination remain restricted, with the regulator previously emphasising the importance of ensuring that public findings do not inadvertently expose vulnerabilities that could be exploited by malicious actors.

In a statement accompanying related proceedings, the OAIC said its processes aim to "balance the need for transparency, regulatory guidance and deterrence… with the need to prevent harm and preserve the effectiveness of the regulatory framework".

For American Express, the outcome represents a significant regulatory finding that its systems fell short of Australian privacy requirements.

Although the company disputes aspects of the regulator's interpretation and maintains the incident involved a single employee acting improperly, the determination signals heightened expectations around how organisations manage employee access to customer data.

The ruling serves as a warning that protecting personal information is no longer solely about defending against hackers and cybercriminals.

Regulators are increasingly scrutinising the systems, permissions and oversight structures that determine who inside an organisation can access customer information, and whether that access can be justified, monitored and, where necessary, prevented.