NewsBite

Advertisement

This was published 2 years ago

‘Insider threat’: How an online date led to a ‘systemic’ failures investigation into American Express

By Charlotte Grieve

John Smith* had just moved to Sydney after more than a decade abroad when he met someone online last summer. Using the dating app Grindr, he started chatting with a man named Tahn Daniel Lee.

Lee was isolating with COVID at the time, so they spoke online for a few weeks before meeting in Sydney’s Surry Hills for a first date – a Japanese dinner followed by Messina ice cream.

The date would be one of many – in a relationship that moved quickly before taking a dark turn, when Smith started to suspect that Lee was monitoring his bank accounts.

The Age and The Sydney Morning Herald can reveal that one of the world’s largest financial companies, American Express, would not only dismiss Smith’s initial complaint without proper investigation, but provide misleading information during an external probe.

A date with Tahn Daniel Lee (left) would trigger an investigation into “systemic” problems at American Express.

A date with Tahn Daniel Lee (left) would trigger an investigation into “systemic” problems at American Express.

It comes as two major ASX-listed companies – Optus and Medibank – have exposed sensitive identification and health information to criminals, starting a national conversation about how best to deal with emerging cyber threats.

Cybersecurity experts say the “insider threat” is a major risk and the Privacy Commissioner’s failure to penalise companies that break the law has created a culture of impunity among corporate Australia.

Advertisement

“Because, what is the recourse?” former Australian Federal Police investigator turned cyber expert Nigel Phair says. “Businesses just aren’t doing the risk management that’s required. The tone starts from the top.”

Luxury hotels, exclusive clubs

Smith’s first impression of Lee was that he had a disarming smile and the relationship progressed quickly.

Lee worked as a relationship manager for American Express’ Centurion, the exclusive club for black cardholders who typically spend half-a-million dollars each year.

Smith already had a platinum American Express from living in the US, but Lee suggested he sign up in Australia, so he could show him how to squeeze the most out of the benefits.

He agreed and soon began using American Express as his primary banking card. But he quickly became suspicious that Lee was monitoring his transactions, after a series of comments about items Smith had purchased, places he had been or payments he had made.

“I asked him how he was able to do this without my consent or authority (one time pin etc), and he replied, ‘because the system is completely open, I have god mode’,” Smith wrote in a complaint later filed with American Express.

Advertisement

Smith lives with autism and while he classifies as “high functioning”, he sometimes struggles to recognise inappropriate behaviour. He noticed “warning signs” about Lee but brushed them aside, he says, travelling to Hawaii and Hamilton Island with his new partner.

On one of these trips, Smith became uncomfortable with the way Lee discussed his client affairs, including major food distributor Primo Foods, which he said siphoned millions of dollars to the Cayman Islands. In a later text message, Lee said: “FYI, everything I tell you about work is highly confidential.”

By April, he tried to break off the relationship and says he warned Lee he would report his behaviour to American Express.

To this, Lee did not react well. He pleaded to continue the relationship, Smith says, and at one point, phoned Smith’s close friend out of the blue to beg her to dissuade Smith from making a complaint.

This was the final straw. He was determined to report Lee.

Amex says ‘no inappropriate access’

Advertisement

Around the same time, another American Express employee was alerted to unusual activity on Smith’s account. This triggered an internal investigation into Lee, which quickly cleared him of wrongdoing.

The company wrote to Smith on May 26 claiming Lee was not in a role where it would be necessary to access his account and, in any event, there was training and processes in place to protect customer information.

“We are confident there has been no inappropriate access to your Platinum Charge card account,” the company wrote.

Unconvinced, Smith asked American Express to guarantee they had blocked Lee’s access to his account and reported the discussions about Primo Foods. The following week, in a phone call, Smith says he was told that if Lee had looked at his account, it was no big deal because they were partners and discussing Centurion’s clients was also no cause for concern.

John Smith was unconvinced by Amex’s assurances.

John Smith was unconvinced by Amex’s assurances.Credit: Jason South

Smith took the complaint to the Privacy Commissioner, which referred the matter to the Australian Financial Complaints Authority. Immediately, AFCA requested a meeting with American Express to confirm that Lee no longer had access to Smith’s account.

The company’s response was swift, and would later turn out to be wrong. “We confirm that the employee has no access to [Smith]’s account,” Amex responded.

Advertisement

In letters between AFCA, Smith and American Express over the next few months, the company continued to imply there had been no inappropriate access or breach of privacy laws.

Until the story changed. In August – three months after Lee’s irregular activity was first detected – Smith was informed American Express found that Lee had, in fact, accessed his personal information. Digital access logs revealed Lee looked at Smith’s private account on nine separate occasions between February and April this year.

Loading

American Express then said it was impossible to block Lee from accessing the account, but that he would be disciplined, and the account would be monitored to ensure there were no further intrusions.

“American Express is unable to practically restrict American Express employees from being able to access any specific Card member data,” the company wrote in a letter.

“We acknowledge that [Smith] feels uncomfortable with his previous partner access to his personal information and have made every effort to implement controls to further protect his data.”

In a final determination delivered this month, AFCA found American Express had breached privacy laws by allowing Lee to access his accounts without authorisation before and after the relationship. It awarded Smith $2000 in damages but did not order an apology and cleared the company of wrongdoing.

Advertisement

“I am satisfied the financial firm has investigated the matters raised by the complainant, and in the circumstances, it has responded appropriately,” AFCA found.

American Express declined to answer specific questions about what steps it had taken to investigate Smith’s complaint, or what action was taken against Lee, but said it upholds the “highest levels of integrity” and has co-operated with AFCA.

“Whilst they made a determination against us, they concluded that American Express had investigated and responded appropriately,” the company said. “We are satisfied that this matter poses no risk to the integrity of our systems. Protecting the privacy of our customers and the integrity of our systems remains our utmost priority.”

Loading

Under current laws, a company can be fined up to $2.2 million for each unauthorised access. The federal government is considering increasing the penalty to $50 million per breach, meaning American Express could have faced penalties for the nine breaches totalling $450 million.

“Companies need to take this issue around unauthorised access to information more seriously because the penalties are significant,” CyberCX privacy law expert David Batch says. “But in reality, the Privacy Commissioner has historically not handed down those fines.”

In October, Smith was told AFCA’s systemic issues team had agreed to investigate American Express over its handling of Smith’s case. This team looks into serious breaches and systemic issues, and can refer matters to other regulators, such as the Privacy Commissioner, but there is little transparency in its findings. AFCA could not comment on whether that promised investigation would actually be conducted.

‘Stop them immediately’

University of NSW Professor of Cybersecurity Nigel Phair says the “insider threat” is a leading concern for companies, where the actions of rogue staff members can undermine the security of the entire organisation.

Loading

“One in three data breaches are done by either a malicious or careless insider, which is a huge amount,” Phair says. “A company might not pick up on it straight away, but when they do, they should be able to stop them immediately.”

The authorities’ failure to impose large penalties on companies that mishandle their customers’ data creates a culture of impunity among Australian corporates, he said.

“It’s disappointing, particularly when the government says we will increase the penalties. Why don’t you start using the penalties you’ve got first?”

For Smith, he feels let down by American Express, and the system designed to hold companies to account. Nowadays, he makes sure to only use the card in ways that don’t give away his location. “He still has access,” he said. “He could be looking at my account and see where I am in real-time.”

Lee and Primo Foods did not respond to requests for comment.

*Not his real name. He asked that his identity be kept confidential.

The Morning Edition newsletter is our guide to the day’s most important and interesting stories, analysis and insights. Sign up here.

Most Viewed in Business

Loading

Original URL: https://www.watoday.com.au/business/companies/insider-threat-how-an-online-date-led-to-a-systemic-failures-investigation-into-american-express-20221027-p5bted.html