Amex compensation order exposes security failures

American Express has been ordered to compensate a customer whose former partner accessed his account data, in a privacy case that has drawn attention to how much of the regulator’s security finding remains hidden. The order, first reported by ABC News, requires Amex to pay more than $23,000 to a complainant identified by the pseudonym John Smith.

Privacy Commissioner Carly Kind said the matter involved “the creation of risks to Amex’s cybersecurity”, according to ABC. The Office of the Australian Information Commissioner began investigating in 2023 after Smith complained about employee access to his account information.

At its narrowest, the case is about one customer and one former partner. For banks, card schemes and fintech platforms, it raises a more operational question: can the company show which staff member opened a customer record, when it happened and whether there was a legitimate reason? Those controls matter because customer files can include identity details, credit information and transaction histories that reveal where someone shops, travels and spends. They also matter after a complaint, when a company has to reconstruct events without relying on memory or broad assurances.

The unpublished finding is the awkward part. ABC reported that the OAIC told Smith he could not disclose the full determination, leaving customers and security teams with only a partial account of what the regulator found.

Separate reporting by The Sydney Morning Herald said more than three-quarters of Amex systems did not track employee access to customer accounts. If that description is accurate, the weakness was broader than the conduct of the person who viewed Smith’s data. It went to the audit trails Amex would need to detect misuse, explain the response to a privacy regulator and reassure other customers that the same path could not be used again.

Smith told the Herald the result did not deliver what he had sought. “I wanted an apology and a public acknowledgment so that American Express customers would be protected. I’ve got neither of those things,” he said.

For Amex, the compensation figure is small beside the governance issue. Payments companies rely on staff access for fraud checks, disputes and account servicing, so the question is rarely whether an employee can open a file at all. The test is whether access is limited to the right people, recorded in a usable way and reviewed when something looks wrong. That is a compliance discipline as much as a security control.

The confidentiality element also puts pressure on the OAIC. Privacy determinations often have to protect complainants while still giving organisations public lessons about handling personal information. Greens senator David Shoebridge criticised the gag order, telling the Herald: “That is so obviously wrong.” The public interest is sharper when a finding points to systems used across a major payments business.

Customers are left with an incomplete answer. They know there was a privacy failure serious enough to warrant compensation, but not enough about the underlying systems to judge their own exposure. For Australian digital-service providers, the case is a reminder that insider-threat controls sit inside privacy compliance, evidence handling and customer trust.