3/4/24: Article updated with further clarification from American Express that it was a merchant processor who was hacked, not one of their service providers.

American Express is warning customers that credit cards were exposed in a third-party data breach after a merchant processor was hacked.

This incident was not caused by a data breach at American Express, but rather at a merchant processor in which American Express Card member data was processed. 

In a data breach notification filed with the state of Massachusetts under "American Express Travel Related Services Company," the company warned customers their credit cards may have been stolen.

"We became aware that a third party service provider engaged by numerous merchants experienced unauthorized access to its system," explains the data breach notification.

"Account information of some of our Card Members, including some of your account information, may have been involved. It is important to note that American Express owned or controlled systems were not compromised by this incident, and we are providing this notice to you as a precautionary measure."

The breach has led to customers' American Express Card account numbers, names, and card expiration data being accessed by the hackers. 

It is unclear how many customers were impacted, what merchant processor was breached, and when the attack occurred.

When BleepingComputer asked American Express for more information about the breach, we were told that they do not disclose details of their business relationships and merchant partners and had no further information to share at this time.

However, American Express did say that they have notified the required regulatory authorities and are alerting impacted customers.

"When we learn about a data security incident that impacts our customers, we promptly begin an investigation and notify the appropriate regulatory authorities, as required," American Express told BleepingComputer.

"We also work to identify impacted customers and understand the specific impacts, and then notify them as required by applicable laws and regulations.

Furthermore, if a cardmember's credit card is used to make fraudulent purchases, American Express told BleepingComputer that customers would not be responsible for the charges.

American Express advises customers to review their account statement over the next 12 to 24 months and report any suspicious behavior.

The company also suggests customers enable instant notifications via the American Express mobile app to receive notifications about fraud alerts and when purchases are made.

Finally, if your card information was stolen, you may want to consider requesting a new card number, as it is common for threat actors to sell stolen credit cards on cybercrime marketplaces.