Spy fears over politicians’ cards as American Express faces privacy probe

Save articles for later

Add articles to your saved list and come back to them any time.

Key points

  • The Office of the Australian Information Commissioner has launched an investigation into Amex.
  • American Express previously stated it was unable to restrict staff access to certain accounts. 
  • Assistant Foreign Minister Tim Watts is among the politicians who have Amex cards, according to recent disclosures. 
  • Greens Senator David Shoebridge says MPs holding Amex accounts poses a “significant national security risk”.

The national privacy watchdog has launched an investigation into American Express after receiving a complaint about data breaches and technology systems that raise potential national security risks for parliamentarians with accounts.

The Age and Sydney Morning Herald revealed in November that an American Express employee used “god mode” powers to spy on his ex-partner’s financial transactions on nine occasions. In response, the company stated it was unable to restrict staff access to certain bank accounts.

The national privacy watchdog is currently investigating American Express. Credit: istock

The Australian Financial Complaints Authority (AFCA) determined the company had breached privacy laws and awarded the complainant $2000 in damages, but did not order an apology and cleared the company of wrongdoing.

The matter has now been escalated to the Office of the Australian Information Commissioner (OAIC), which agreed to investigate after receiving a complaint outlining concerns about American Express on March 23, according to documents seen by The Sunday Age and Herald.

“I have considered your complaint and the supporting documents, including AFCA’s final determination and submissions tendered by AMEX to AFCA during the AFCA process, and write to notify you, that the acts and practices subject of the complaint, will be investigated by the OAIC under s40 of the Privacy Act,” an investigations officer wrote.

A spokeswoman for American Express said the company took the security of its customers “incredibly seriously” and was confident that “there were no systemic issues” with privacy or data security.

“This was an isolated incident and appropriate disciplinary action has been taken,” the spokeswoman said. “No concerns regarding national security risks related to government officials holding American Express Cards have been raised by the OAIC, AFCA or any regulatory authority in Australia.”

Public disclosures show that joint committee for intelligence and security chair Peter Khalil, Assistant Minister for Foreign Affairs Tim Watts, Minister for Ageing Justine Elliot, Victorian senator Jane Hume, South Australian senator Andrew McLachlan, and former defence minister Linda Reynolds had accounts with American Express in 2022.

The OAIC, which prioritises voluntary compliance but can issue fines of $50 million or 30 per cent of company turnover, has given the multinational company until April 17 to provide “comprehensive and detailed” responses about its technology systems and practices.

The complainant, whose identity has been withheld for privacy reasons, wrote to the watchdog outlining nine concerns, including American Express’ handling of his complaint and potential national security risks posed by the accounts of MPs.

Joint committee for intelligence and security chair Peter Khalil and Assistant Foreign Affairs Minister Tim Watts.Credit: Alex Ellinghausen / Dominic Lorrimer

“This alarming revelation highlights the urgent need to address the security vulnerabilities built into AMEX’s processes and systems that puts government officials and every other card member at risk, potentially compromising sensitive information and undermining our national security,” the complainant wrote.

During Senate estimates in February, Greens Senator David Shoebridge asked Home Affairs secretary Mike Pezzullo about potential national security implications.

“That extraordinary admission made by American Express, as it turns out, applies to the card member data for people who were at the time in the last parliament … the defence minister, health minister [and] the immigration minister,” Shoebridge said in February.

“Does that broad access to what could be highly personal data to such senior members of the former parliament and see members of the current parliament travelling?”

In response to questions on notice, the Department of Home Affairs said it does not issue American Express cards to its employees, but that it does accept payments from external parties using American Express.

The complainant, who is seeking an apology from American Express, sent numerous letters to Home Affairs Minister Clare O’Neil and Prime Minister Anthony Albanese about his case and broader risks. In responses sent last month, government representatives said his concerns would be forwarded to the OAIC and the team developing the government’s 2023-2030 Cyber Security Strategy.

“Thank you for raising this matter with the minister,” the responses stated.

Shoebridge also sent a letter to the OAIC on March 23 outlining “major privacy issues” with American Express systems, claiming the company has “rudimentary logging” of finance accounts and no logging for its travel system.

Former defence minister Linda Reynolds had an account with American Express in 2022.Credit: Alex Ellinghausen

“This does not appear to be an accident, but rather a long-standing design failure and requires a thorough investigation,” Shoebridge wrote.

“This poses a significant national security threat as people working on behalf of foreign intelligence agencies can absolutely exploit this gaping hole in AMEX’s systems and there may be no records of it happening.”

In an interview on Saturday, Shoebridge said welcomed the OAIC’s investigation but called for greater resources and powers for the regulator, which he said was “overwhelmed” by investigations into Optus.

“The regulator desperately needs enough funding to do its job,” he said.

Shoebridge called on American Express to update its data security controls and said parliamentarians should be “on notice” about accounts with the company. “It’s a known fact that internal threats are some of the biggest risks for data security and American Express’ database is an open invitation for that kind of attack.”

O’Neil’s office declined to comment. The OAIC said it cannot comment on ongoing investigations.

Cut through the noise of federal politics with news, views and expert analysis from Jacqueline Maley. Subscribers can sign up to our weekly Inside Politics newsletter here.

Most Viewed in Business

From our partners

Source: Read Full Article