Normal text sizeLarger text sizeVery large text size

All John Smith ever wanted was an apology. He was disturbed to discover the man he had briefly dated in 2022 was using his position at American Express to spy on purchases he made using his card, and he thought the global company would take swift action.

Smith complained internally and even reached out to Amex’s individual lawyers on LinkedIn – desperate to draw their attention to what he considered a major breach of privacy laws.

However, little did he know, this would be the starting point of years of being dismissed and lied to – a gruelling quest for justice that has exposed the fault lines of Australia’s privacy regulation.

This masthead revealed this week that the Office of the Australian Information Commissioner had discovered that 78 per cent of American Express’s systems do not track employee access to customer accounts, exposing the bulk of its customers to insider threats.

Privacy Commissioner Carly Kind’s investigation remains ongoing, with no final determination yet made, but her interim findings reveal how American Express provided misleading information to regulators and pushed back against investing in technology needed to protect its customers.

American Express said it had fully co-operated with the OAIC investigation, disagreed with its interim findings, and stressed the investigation was still under way with further information to be provided. “No official findings have been made,” a spokesperson said, adding American Express took its customers’ security seriously and had “full faith” in its technology systems.

The spokesperson said “we categorically reject” claims that any regulator was misled and explained that one “incorrect statement was mistakenly provided” at one stage, which was “promptly corrected” within 48 hours.

An OAIC spokesman said views stated in its interim report were “preliminary” and did “not reflect the final view” but could not comment further as the investigation was ongoing.

Digital Rights Watch founder and privacy lawyer Lizzie O’Shea said Australian regulation was miles behind the rest of the world, and the lack of major fines or compulsory monitoring means there was limited incentive for companies to safeguard private information.

“Our privacy regime is hopelessly out of date,” O’Shea said. “It’s a disaster waiting to happen. And this is what gives rise to these kinds of problems – systemic risks that are built into the system.”

Loading

In recent weeks, a data breach at Qantas resulted in 5.7 million customers’ private information being uploaded to the dark web. The Australian Federal Police promised to take swift action after a US website posted the phone numbers of Prime Minister Anthony Albanese and hordes of other public figures.

While American Express has not experienced a mass data leak in Australia, gaping holes in its technology expose its customers to identity theft, fraud and harm from rogue employees. Parliamentary disclosures show more than a dozen sitting federal politicians are among the 1 million Australian cardholders at risk.

Labor MP Ed Husic, who owns an American Express card, said the interim findings were an “extremely serious concern”.

“I’m not focused on this as a matter affecting politicians, I just think any Australian who’s an American Express customer should be fuming about this,” he said.

“It looks like American Express isn’t even meeting international standards for managing and protecting customer data.

“Disregard for protecting and defending customer data is an attitude ripe for a hacker to exploit – because corporate culture seeps into the way a company works and behaves.”

Over the past three years, any setbacks have only strengthened Smith’s resolve to expose the failures within American Express – a company he views as a ticking time bomb. This masthead has obtained a tranche of documents that reveal Smith’s pursuit of accountability through regulators and lawmakers. He has sent countless letters to politicians – and secured the public and private support of senior Labor minister Tanya Plibersek.

“I am concerned by the interim findings of the Office of the Australian Information Commissioner and urge American Express to take it seriously,” Plibersek said.

One government staffer, who was not authorised to speak publicly, said Smith’s concerns about American Express were directly incorporated into the government’s seven-year cybersecurity strategy, published in 2023.

However, Liberal MP Mary Aldred disputed the efficacy of this strategy, pointing to an 11 per cent rise in cybercrime incidents over the past 12 months.

Aldred, who also owns an American Express card and has worked in cybersecurity, said the OAIC’s interim findings indicated “just about everyone in the company has had a high level of access to data, whether they needed it as part of their job or not”.

“It’s not sufficient to rely on training and internal policies alone. There should be login-tracking protocols in place to deter and flag unnecessary access to personal data.”

From TV ads to TikTokers

American Express has long been a recognised and celebrated brand in Australia, dating back to black-and-white advertising campaigns fronted by comedian Barry Humphries to designer Lizzy Gardiner’s gold-card dress on the Oscars red carpet in 1995.

Barry Humphries promoting American Express in the 1980s.

Barry Humphries promoting American Express in the 1980s.Credit: American Express

Its branding has adorned Sydney’s city skyline, and its green, silver, gold and black cards have stuffed wallets all around the country.

Last year, American Express launched a campaign to grow its younger customer base in Australia, hiring TikTok personality Millie Ford as a brand ambassador and hosting a music event headlined by Sydney band Lime Cordiale.

However, behind the scenes, it was battling an investigation that threatened to force an overhaul in the way it handles customer data.

The global behemoth’s business operations span credit cards to travel services, meaning it holds enormous amounts of private information lucrative to hackers, from financial transactions to healthcare and identity documents that provide “granular detail” about its customers’ lives.

As reported by this masthead in 2022, when Smith first reported suspicions of an employee spying on his transactions, the company assured him that there had been no foul play.

In a letter sent by an American Express vice president, Smith was informed that an internal investigation had been completed, no misconduct was found, and that all staff were rigorously trained. “I trust this response addresses your concerns,” the vice president wrote.

American Express is trying to appeal to younger customers.

American Express is trying to appeal to younger customers.Credit: AmexAU/Instagram

It did not. Smith submitted a complaint to the Australian Financial Complaints Authority, which requested an emergency meeting to demand American Express guarantee the employee could no longer access his account. American Express then admitted it was “unable to practically restrict” such access and disclosed logs that revealed the employee had, in fact, opened Smith’s account on nine separate occasions without permission.

AFCA ruled in a confidential determination that these logs showed American Express had breached privacy laws. However, American Express was not required to apologise to Smith because AFCA found the company had “responded appropriately” by disciplining the employee and offering to refund Smith’s card fee of $1450.

Unconvinced, Smith escalated his complaint to the OAIC. Early on in this second investigation, American Express tried to discredit Smith.

In a letter sent to the privacy commissioner in April 2023, a senior American Express employee said many of Smith’s assertions were “found to be simply untrue” and he was casting “unfair aspersions” and making “serious allegations of conspiracy and fraud”.

“We are concerned that the complainant appears to be seeking the termination of the employee’s employment.”

The same letter claimed that Smith had been apologised to several times, which he says never happened. It provided detailed information about its confidential internal processes, systems and the internal investigation that found the problem was limited to a “sole actor” breaching company policies – a markedly different position from what Smith was initially told by American Express.

As time ticked on, Smith says the updates from the OAIC were sporadic – and at several points it was unclear whether the investigation was even ongoing.

By October 2023, more than six months after the OAIC accepted the case, then-privacy commissioner Angelene Falk appeared before a parliamentary committee where she was asked about the case. “I completely understand the issue of urgency,” Falk said, adding the matter was given “the utmost attention by a very senior officer”.

Millie Ford is an American Express ambassador.

Millie Ford is an American Express ambassador.Credit: @milligram96/Instagram

More than two more years passed before the privacy commissioner finally discovered Smith’s complaints were valid – and there were systemic problems at play.

As revealed by this masthead this week, the interim determination eviscerated AFCA’s finding that American Express had acted reasonably. The commissioner flagged ordering the company to provide a written apology to Smith, signed by a senior representative and to make sweeping changes to its technology.

In the report, the commissioner noted that American Express had tried to resist implementing better controls – citing operational burdens – but this was dismissed by the commissioner, who noted it was a billion-dollar company.

The OAIC’s interim finding also determined that Smith was owed compensation. By that point, he had moved cities several times, lost work and spent thousands of dollars on therapy from the stress of having his privacy violated – and then not being believed.

While the interim findings of systemic failures were validating, Smith was frustrated that the OAIC cited a lack of resources when it declined to investigate whether American Express’s conduct reached the threshold of a “notifiable data breach”, which unlocks the pathway for heavy fines and greater accountability.

More disturbingly, the OAIC also wanted to share Smith’s private psychiatric reports with American Express to afford procedural fairness before awarding financial compensation – something Smith had never asked for.

By this point, Smith had lost all trust in American Express and agreed to share his private medical reports under strict terms – at an in-person hearing with supervision so no copies could be made.

Lizzy Gardiner in her Oscars dress.

Lizzy Gardiner in her Oscars dress.Credit: AP

This request was denied and triggered further back-and-forth emails that have now reached a stalemate.

Throughout it all, Smith has sent countless letters to sitting politicians, agitating for action to address the risks faced by 1.5 million cardholders. He complained to the ombudsman about the delays and investigatory process.

This quest for accountability gained the backing of several politicians, with Greens Senator David Shoebridge prosecuting the matter in parliamentary committees and Plibersek lending support behind the scenes.

One letter obtained by this masthead, sent by Plibersek to the Ombudsman in August, states her office had been “providing assistance” to Smith since July 2022, when he first lodged a complaint with AFCA.

“[Smith] is concerned that his negative experience of seeking remediation for his breach of privacy – which was confirmed by AFCA – should not be repeated for others also seeking to uphold their privacy rights,” Plibersek wrote.

“I respectfully request that the office of the Commonwealth Ombudsman give serious consideration to [Smith’s] complaint.”

Today, the investigation remains in limbo. American Express signed a confidentiality agreement to receive Smith’s psychiatric report, which limits who can view it and how, but Smith rejected this. His last letter to the privacy commissioner detailed his anguish.

“The complaint has been with your office for nearly three years,” he wrote. “There have been endless delays, mistakes, obfuscations, inaccuracies, question-ignoring.

“You behave as though Amex and I are ‘equal parties’ to the complaint when we are obviously not. Amex is a business with a 230 billion market cap. I am a sole complainant with no teams of lawyers and no support.”

Lack of leadership

Smith has lost hope that the privacy commissioner will ever reach a final determination.

American Express has strenuously denied the interim findings – and has swung support behind the employee, who remains working at American Express and can still access Smith’s account, according to the OAIC interim report.

The company has threatened this masthead with legal action on behalf of employees, and has pledged to provide further submissions to the privacy commissioner to challenge its interim findings.

While Smith feels deflated, O’Shea said the regulator was in a “difficult position” because the current regime was geared towards enforcing penalties only after mass privacy breaches had occurred.

“I understand why that’s frustrating,” she said. “There’s a big systemic problem that’s left unaddressed.”

Loading

Earlier this month, the privacy commissioner handed down its first-ever fine of $5.8 million to Australian Clinical Labs, after medical records, test results and other data from 223,000 individuals were leaked.

Commissioner Kind said the fine was an “important turning point” in the enforcement of privacy law in Australia, and has publicly thrown her support behind the need for reform. “This should serve as a vivid reminder … that there will be consequences of serious failures to protect the privacy of those individuals whose healthcare and information they hold.”

O’Shea is unconvinced. She said this was an “appalling” data breach and, while pleased the fine had been handed out, she thinks its size would do little to encourage companies to install better processes.

“There’s a role to play from a government perspective. The general under-investment in cybersecurity is a function of a lack of leadership in that respect by government in different departments.

“It is a function of a privacy regime that is due for reform. We don’t have ongoing monitoring and enforcement of standards that fall below best practice.

“In that environment, I’m not surprised this happens.”

The attorney-general’s office declined to answer questions about the OAIC investigation or American Express, but a spokesperson said the government was committed to protecting Australians’ privacy and pointed to efforts to increase enforcement powers for the commissioner.

Loading

The spokesperson said the government was working on further reforms to “ensure Australia’s privacy laws are fit for purpose in the digital age”.

“As part of this, the government is considering additional measures to enhance security and destruction requirements and to improve responses to notifiable data breaches, including those caused by insider parties,” the spokesperson said.

For Smith’s part, he said the case was simple – AFCA found the company had breached privacy laws in 2022 and the OAIC only needed to enforce adequate repercussions. Smith said he has never asked for compensation and is dismayed that this is what is holding up the investigation.

“In the entire history of the OAIC, they have only ever successfully levelled a single fine against an organisation in Australia. Literally thousands of complaints, and only one fine – ever. The message is clear: if you’re a big business in Australia, you can do whatever you want with customer data, you’ll be fine, you won’t be fined.”

He’s not holding out for that apology.

Start the day with a summary of the day’s most important and interesting stories, analysis and insights. Sign up for our Morning Edition newsletter.