Beyond the Breach: Lessons from the American Express Incident

Financial service organizations continue to be high-value targets for cybercriminals. According to Verizon research, 97% of these attacks are financially motivated as FinTech organizations hold large volumes of sensitive information that can be used in direct attacks, identity theft, and fraud. The latest breach of American Express (Amex) came at the start of March, disclosing that numerous customers had their sensitive data exposed. No matter how careful organizations think they are with their data, there is always the risk of a breach and a data disclosure. 

In this article, we explore what happened in the Amex breach and some ways such disasters can be prevented in the future. 

Understanding the American Express Breach

Unlike many other breaches where a company is directly attacked, the American Express breach stemmed from a compromised third-party provider. This begs the question, “Why are all the headlines about an Amex breach?” It all comes down to who owns the data. 

In this case, the data compromised was from American Express. It included a broad selection of sensitive cardholder information, including American Express card account numbers, cardholder names, and card expiration dates of an unknown quantity of customers. Because of this, American Express will end up as the party responsible for compliance and legal consequences. 

Third-Party Risk

Financial institutions like American Express heavily depend on third-party vendors for various services, leveraging the external expertise and specialized skills these partners provide. This reliance introduces cost-effectiveness by outsourcing non-core functions and allows companies to concentrate on their primary business goals and strategies. These relationships often necessitate sharing sensitive information with a third party to facilitate their work.

Data sharing is part of the risk organizations accept when relying on third parties. Even with data protection agreements and non-partisan audits, companies still have limited control over how their data is protected once it leaves their organizational boundaries. Security failures, even if they are on the part of an employee and not a failed technology, can still lead to massive breaches. 

Which means, when there’s a breach in one part of this intricate network, it can trigger a ‘chain reaction’ that affects all parties. The interconnected nature of these partnerships means a security lapse in a single third-party vendor can have a ripple effect, impacting the entire supply chain, as well as other companies and customers linked indirectly. 

Data Exfiltration

Oversharing data in partnerships, especially with third parties, carries inherent risks, especially for those who don’t follow the ‘principle of least privilege.’ This principle states that partners should only access the minimum data necessary for their tasks. Without ensuring that data shared follows this principle, organizations can run afoul of compliance mandates such as GDPR, which strictly regulate how sensitive data is used, stored, and shared. 

Oversharing sensitive information increases the risk of data loss with no ability to track it. This information may show up on the dark web in a stolen data dump with it being linked back to your organization. However, without adequate tracking of how data is shared, there is no way to determine the cause of the leak or take steps to prevent it in the future. 

Sharing Securely

Sharing data is a necessity for collaboration, especially with third parties. However, even though data is shared, it can still be done safely. Modern solutions such as Data Detection and Response (DDR) can securely analyze and sanitize data, allowing it to be shared safely across organizations, collaboration tools, and with third parties. 

Understanding File Contents

Implementing safe sharing starts with understanding the content of files that are shared. For structured files, this is an easy undertaking; however, most data used in an organization is unstructured, including everything from documents to emails. This data is more challenging to assess as the content is varied and less predictable, making it harder to automatically identify and categorize. Effective unstructured data management requires advanced tools and strategies to scan, understand, and protect this diverse content, ensuring that sensitive information is handled and safeguarded during the sharing process.

Sanitizing Data

Part of what makes DDR different from many other techniques is the ability to sanitize sensitive information as it traverses organizational boundaries. Once sensitive data is detected, DDR leverages a combination of techniques to reduce the risk of the data being shared. Data masking is one such technique that replaces sensitive information with fictional but realistic data. Similar to this is anonymization, which involves removing or modifying personal identifiers to prevent the identification of individuals. 

Collectively, these techniques allow sensitive data to remain protected, even if it is accidentally shared. Advanced DDR solutions integrate into existing technologies, allowing data to be analyzed and sanitized behind the scenes, eliminating the need for users to take any action. This seamless integration helps organizations reduce privacy risks and maintain compliance without relying on users to modify their workflows. 

Data Detection and Response with a Zero Trust Approach

To prevent breaches like the one affecting American Express and its customers, Votiro has taken DDR to the next level – combining Zero Trust Content Security with Data Detection and Response within a single, unified platform. 

Votiro’s Zero Trust DDR combines proactive threat prevention with real-time data privacy to offer robust business security that proactively identifies and addresses vulnerabilities before they become exploitable. This strategy ensures a heightened level of security by staying ahead of potential threats.

To learn more about Votiro’s Data Detection and Response capabilities, sign up for a one-on-one demo of the platform, or try it free for 30 days and see for yourself how Votiro can proactively defend your data’s security and privacy.