American Express has notified US authorities that some of its card holder information was likely compromised almost three years ago after an unauthorised person or group accessed one of its merchants' systems.
The breach took place on 7 December 2013, but Amex said it had only now become aware of the intrusion.
The payments card giant asked members to take steps to protect their sensitive data as a result of the data breach, including monitoring their accounts for suspicious activity.
Customers won't be liable for any fraudulent activity, Amex said.
In a notice to customers filed with the Californian Attorney General last week, the chief privacy officer of Amex, Stefanie Ash, said account numbers, names, expiration dates and other information could have been exposed.
Amex said it was “vigilantly monitoring” accounts for fraudulent activity and asked customers to do the same. Ash said customers could receive more than one letter about the incident if it found more than one account was affected.
“It is important to note that American Express owned or controlled systems were not compromised by this incident, and we are providing this notice to you as a precautionary measure,” Ash wrote.
Ash did not disclose how many records were compromised, or provide further details on the data breach.