"Insider Threat": How an Online Date Led to an Investigation of "Systemic" Errors at American Express

“Insider Threat”: How an Online Date Led to an Investigation of “Systemic” Errors at American Express

John Smith* had just moved to Sydney after more than a decade abroad when he put someone online last summer. He began chatting with a man named Tahn Daniel Lee via the dating app Grindr.

Lee was in isolation with COVID at the time, so they spoke online for a few weeks before meeting up in Sydney’s Surry Hills for a first date – a Japanese dinner followed by Messina ice cream.

The date would be one of many – in a relationship that was rapidly changing, before taking a dark turn when Smith began to suspect Lee was monitoring his bank accounts.

Age and tea Sydney Morning Herald may reveal that one of the world’s largest financial companies, American Express, would not only dismiss Smith’s original complaint without proper investigation, but would provide misleading information during an external investigation.

A date with Tahn Daniel Lee (left) would spark an investigation into “systemic” issues at American Express.

It comes as two major ASX-listed companies — Optus and Medibank — have disclosed sensitive identification and health information to criminals, starting a nationwide conversation about how best to deal with emerging cyber threats.

Cybersecurity experts say the “insider threat” is a major risk, and the privacy commissioner’s failure to penalize companies that break the law has created a culture of impunity among Australian businesses.

“Because what is the cure?” Australian Federal Police investigator-turned-cyber-expert says Nigel Phair. “Companies just don’t manage the risk they need. The sound starts from the top.”

Luxury hotels, exclusive clubs

Smith’s first impression of Lee was that he had a disarming smile and the relationship was progressing quickly.

Lee worked as a relationship manager for American Express’ Centurion, the exclusive club for black cardholders who typically spend half a million dollars a year.

Smith already had a platinum card from American Express because he lived in the US, but Lee suggested he enroll in Australia so he could show him how to make the most of the benefits.

He agreed and soon began using American Express as his primary bank card. But he quickly became suspicious that Lee was monitoring his transactions after making a series of comments about items Smith had purchased, places he’d been or payments he’d made.

“I asked him how he could do this without my consent or authority (one-time PIN, etc.) and he replied, ‘Because the system is completely open, I have god mode,'” Smith wrote in a later complaint to American Express.

Smith lives with autism, and while he classifies him as “high functioning,” he sometimes has a hard time spotting inappropriate behavior. He noticed “red flags” about Lee but brushed them aside, he says, as he traveled to Hawaii and Hamilton Island with his new partner.

On one of those trips, Smith became uncomfortable with the way Lee discussed his client affairs, including major grocer Primo Foods, which he said had drained millions of dollars into the Cayman Islands. In a later text, Lee said, “FYI, everything I tell you about the work is strictly confidential.”

By April, he was trying to break off the relationship, saying he had warned Lee he would report his behavior to American Express.

Lee didn’t respond well to that. He asked that the relationship continue, Smith says, and at one point he called Smith’s close friend out of the blue to ask her to stop Smith from filing a complaint.

This was the last straw. He was determined to report Lee.

Amex Says “No Improper Access”

Around the same time, another American Express employee was alerted to unusual activity on Smith’s account. This sparked an internal investigation into Lee, which quickly acquitted him of wrongdoing.

The company wrote to Smith on May 26 claiming that Lee is not in a role where it would be necessary to access his account and that training and processes are certainly in place to protect customer information.

“We are confident that there has been no inappropriate access to your Platinum Charge card account,” the company wrote.

Unconvinced, Smith asked American Express to guarantee that they had blocked Lee’s access to his account and reported on the discussions about Primo Foods. The following week, Smith said in a phone conversation that he was told that if Lee looked at his account, it wasn’t a big deal since they were partners and it wasn’t a concern to talk about Centurion’s clients either.

John Smith was unconvinced by Amex's assurances.

John Smith was unconvinced by Amex’s assurances.Recognition:Jason South

Smith took the complaint to the Privacy Commissioner, who referred the matter to the Australian Financial Complaints Authority. Immediately, AFCA requested a meeting with American Express to confirm that Lee no longer had access to Smith’s account.

The company’s response was swift and was later proven to be wrong. “We confirm that the employee does not have access to it [Smith]’s account,” Amex replied.

In letters between AFCA, Smith and American Express over the next few months, the company continued to claim there had been no improper access or breach of privacy laws.

Until the story changed. In August – three months after Lee’s irregular activities were first discovered – Smith was informed that American Express had determined that Lee had in fact accessed his personal information. Digital access logs showed that Lee checked Smith’s private account on nine separate occasions between February and April of this year.

Loading

American Express then said it was impossible to stop Lee from accessing the account, but that he would be disciplined and would monitor the account to ensure there were no further intruders.

“American Express is unable to effectively prevent American Express employees from accessing certain cardmember data,” the company wrote in a letter.

“We recognize that [Smith] is uncomfortable with his former partner’s access to his personal information and has made every effort to implement controls to further protect his information.”

In a final ruling presented this month, the AFCA found that American Express had violated privacy laws by allowing Lee to access his accounts before and after the relationship without authorization. It awarded Smith $2,000 in damages but did not order an apology and acquitted the company of wrongdoing.

“I am satisfied that the financial company investigated the matters raised by the complainant and responded appropriately under the circumstances,” AFCA stated.

American Express declined to answer specific questions about what steps it had taken to investigate Smith’s complaint or what action was taken against Lee, but said it maintains the “highest level of integrity” and has worked with AFCA .

“While they made a finding against us, they concluded that American Express had investigated and responded appropriately,” the company said. “We are satisfied that this matter does not pose a risk to the integrity of our systems. Protecting the privacy of our customers and the integrity of our systems remains our top priority.”

Loading

Under current law, a company can be fined up to $2.2 million for each unauthorized access. The federal government is considering increasing the fine to $50 million per violation, meaning American Express faces a total of $450 million in penalties for the nine violations.

“Companies need to take this issue of unauthorized access to information more seriously because the penalties are significant,” said David Batch, CyberCX’s privacy law expert. “But in reality, the data protection commissioner has not imposed these fines in the past.”

In October, Smith was informed that the AFCA’s systemic issues team had agreed to investigate American Express over its handling of Smith’s case. This team investigates serious breaches and systemic issues and can refer matters to other regulators such as the Data Protection Commissioner, but its findings are not very transparent. AFCA could not comment on whether this promised investigation would actually be carried out.

“Stop them immediately”

Nigel Phair, professor of cybersecurity at the University of NSW, says the “insider threat” is a major concern for companies, where the actions of fraudulent employees can undermine the security of the entire organization.

Loading

“One in three data breaches is committed by either a malicious or negligent insider, which is a huge amount,” says Phair. “A company might not notice it right away, but if it does, they should be able to stop it right away.”

The authorities’ failure to impose heavy penalties on companies that mishandle their customers’ data is creating a culture of impunity among Australian businesses, he said.

“It’s disappointing, especially when the government says we’re going to increase penalties. Why don’t you start with the penalties you have first?”

Smith feels let down by American Express and its system of holding companies accountable. These days, he makes sure to only use the map in a way that doesn’t reveal his location. “He still has access,” he said. “He could look at my account and see where I am in real time.”

Lee and Primo Foods did not respond to requests for comment.

*Not his real name. He asked that his identity be kept secret.

The Morning Edition Newsletter is our guide to the day’s most important and interesting stories, analysis and insights. Sign up here.

#Insider #Threat #Online #Date #Led #Investigation #Systemic #Errors #American #Express

Leave a Comment

Your email address will not be published. Required fields are marked *