Australian Privacy Commissioner orders American Express Australia Limited to compensate complainant following interference in privacy | OAIC

Australian Privacy Commissioner orders American Express Australia Limited to compensate complainant following interference in privacy | OAIC We use cookies on this site We use cookies to analyse traffic and to improve your browsing experience on our website. To find out more, read our privacy policy . Close Skip to main content Australian Privacy Commissioner orders American Express Australia Limited to compensate complainant following interference in privacy Published: 15 June 2026 The Office of the Australian Information Commissioner (OAIC) has today published its summary report of the determination in the matter of ‘BAM’ and American Express Australia Limited. This follows a process of engagement with the parties regarding the decision and a determination regarding publication. The Australian Privacy Commissioner Carly Kind found that American Express Australia Ltd (AMEX) interfered with the complainant’s privacy under the Privacy Act 1988 (Cth), by failing to take such steps as were reasonable in the circumstances to protect the complainant’s personal information from unauthorised access, in breach of Australian Privacy Principle (APP) 11.1, and must not repeat or continue such conduct. These findings conclude a lengthy, detailed investigation and decision-making process, which explored the issue of insider security risk within a financial institution. The outcome of this investigation confirms that insider security risk remains a significant, yet frequently overlooked, threat to organisations, and to the individuals whose personal information they are entrusted with. The risk that employees may seek access to personal information on their employer’s systems for improper purposes, including financial fraud, domestic and family violence, or political, military or corporate espionage, is an unfortunate reality. The risk is heightened in sectors that store large volumes of personal information, such as the financial services sector. The OAIC’s investigation found that AMEX failed to adequately mitigate these risks. Section 33C of the Privacy Act empowers the Privacy Commissioner to release information where doing so is in the public interest, and in this matter, the OAIC has published a summary report rather than the full determination. During the investigation, both AMEX and the complainant provided the OAIC with sensitive information, over which they made separate confidentiality claims. The OAIC considers the disclosure of this information could cause harm to individuals, present a risk to AMEX’s cyber security, and undermine the OAIC’s investigation processes. This approach, and the reasons for adopting it, was explained in correspondence to AMEX and the complainant. Under the determination, for interference with the complainant’s privacy, American Express Australia Limited must: pay the complainant specified amounts for economic loss, for non-economic loss caused by the interference with the complainant’s privacy, and for reimbursement of expenses the complainant incurred making the complaint issue a written apology to the complainant, acknowledging its interference with the complainant’s privacy, signed by a representative of AMEX with sufficient seniority implement technical controls across the relevant systems, to enable AMEX to restrict its employees’ access to specific customer information, including to protect the personal information of vulnerable or high-profile customers implement account-level access logging and action logging across the relevant systems to the extent these are still in operation, to create time-stamped log entries when an employee accesses or takes action on a customer’s records. This determination underscores the important role that ICT systems’ access controls play in ensuring that individuals’ personal information is protected from unauthorised access, and in particular access by employees of an entity. It is therefore essential that entities which hold personal information, such as those in the financial sector, ensure sufficient controls are in place to protect personal information from the risk of unauthorised access by employees. Download the OAIC’s Report of investigation into AMEX (PDF, 185 KB) . Background Statement regarding American Express investigation (17 October 2025) Did you find this helpful? Yes No We'd love to hear more! Please tell us more Rate your experience We'd love to hear more about your rating What did you come here to do? How can we improve this information? ⨯ Share Facebook Twitter Linkedin Site map Copyright Terms and conditions Privacy policy Accessibility Contact us 1300 363 992 Monday to Thursday 10 am to 4 pm (AEST/AEDT) Language Please select… العربية 繁體中文 ελληνικός Italiano Español ภาษาไทย Tiếng Việt ਪੰਜਾਬੀ ကညီကျိာ် 简体中文 ܐܵܬܘܿܪܵܝܵܐ नेपाली Filipino هزارگی Easy English Follow us Acknowledgement of Country The OAIC acknowledges Traditional Custodians of Country across Australia and their continuing connection to land, waters and communities. We pay our respect to First Nations people, cultures and Elders past and present. © Commonwealth of Australia