American Express has filed a notice with the Attorney General in California, informing some of its cardholders that their account information may have been compromised.
The notice, dated March 10, tells Amex cardholders that their names, account numbers and expiration dates were potentially exposed when a third-party service provider that works with numerous merchants experienced unauthorized access to its systems.
The notice did not indicate how many account records may have been exposed. It also did not name the third party involved.
Stefanie Ash, chief privacy officer for American Express, says in the notice that the company is "vigilantly monitoring" customer accounts for fraud and informed them they would not be liable for fraudulent charges, if they should occur.
Customers may receive more than one letter about the incident if more than one of their Amex card accounts are affected, the company said.
Security measures to protect against exposure through third-party vendors have been a hot-button issue, with the Payment Card Industry Security Standards council recommending tighter guidelines.
The heightened interest stems from the Target breach in 2013 and Home Depot breach in 2014, both of which exposed customer data through a weak link in third-party vendor access.