Australian Privacy Commissioner: AMEX Australia Breached Privacy Laws Over Insider Threats

June 16, 2026
Australian Privacy Commissioner: AMEX Australia Breached Privacy Laws Over Insider Threats
  • The Australian Privacy Commissioner found that American Express Australia breached Privacy Principle 11.1 of the Privacy Act 1988 by failing to take reasonable steps to protect personal information from unauthorised access due to insider security risk, and ordered the company to address insider threat gaps.

  • Amex Australia is required to fix security gaps in five data systems, restrict employee access to customer information, and implement account- and action-logging to monitor insider activity.

  • There is an ongoing debate over public transparency; calls persist for full disclosure of the final determination, while privacy advocates and complainants weigh risks to cybersecurity.

  • AMEX acknowledged the decision, pledged to work with the OAIC, address recommendations, and issue a written apology to the complainant.

  • The OAIC issued a summary report in the BAM and American Express Australia Limited case, noting confidentiality considerations that limit full disclosure.

  • The ruling requires technical controls to restrict employee access to customer information, particularly for vulnerable or high-profile customers, plus mandatory account-level access and action logging across relevant systems.

  • This case underscores the importance of ICT access controls in preventing unauthorized internal access to personal data and shows organisations can face financial and reputational consequences for insider breaches.

  • The OAIC emphasizes insider risk as a major privacy threat in data-rich sectors like financial services and treats it as a privacy compliance issue, not merely an internal security or HR matter.

  • Initial findings show AMEX could not audit or enforce access policies for 88 of its systems (about 78%) that hold Australians’ personal information.

  • The process involved delays over compensation size and redactions, reflecting tensions between public accountability and safeguarding cybersecurity and privacy processes.

  • Commissioner Carly Kind notes AMEX failed to implement uniformly applied technical and organizational measures, despite prior awareness of insider-threat incidents.

  • The final determination is released as a 14-page summary; complainant voices concern about lack of full public disclosure, with gag orders restricting discussion of findings.

Summary based on 2 sources


Get a daily email with more Australia News stories

Sources


American Express ordered to fix security gaps after customer was spied on

More Stories