Amex ordered to compensate man whose ex accessed his data

Privacy commissioner gags complainant over American Express data security findings Fri 12 Jun 2026 at 5:05am In short: An investigation was sparked after a man the complainant briefly dated used his position at Amex to access his personal financial information. An interim decision last year called for Amex to overhaul its systems to protect customer data from rogue employees. What's next? The privacy watchdog will publish a summary of its final determination today but has ordered the complainant not to disclose its full determination, which it says is confidential. Australia's privacy commissioner has threatened a complainant with legal action to prevent the full disclosure of findings of a long-running investigation into American Express's information security that found widespread technology failures. The Office of the Australian Information Commissioner (OAIC) will today publish a summary of its final determination into an investigation that began in 2023, but has threatened the complainant with an injunction or legal action to prevent disclosure of the full report. The privacy commissioner's long-running investigation began after a man the complainant briefly dated used his position at Amex to spy on his personal banking transactions, which later forced Amex to reveal it was unable to restrict staff access to the majority of its customer accounts. The Age published the OAIC's confidential interim decision last year, which found Amex's technology needed to be overhauled after systemic failures meant the majority of its customers' data were exposed to privacy breaches from rogue employees, known as "insider threat". The summary of the final determination, set to be published on the OAIC's website on Friday, found the complaint to be substantiated and ordered the company to pay the complainant compensation of more than $23,000. The ABC has not obtained a copy of the final determination or its summary. However, ahead of publishing the summary decision, privacy commissioner Carly Kind took what Greens senator David Shoebridge called an "extraordinary step" of ordering the complainant not to disclose the full decision. In her letter dated June 2, obtained by the ABC, Ms Kind wrote that the full determination was being provided to the complainant on a "strictly confidential basis" after permitting American Express to make submissions about what information should be restricted, because of the potential for harm including "the creation of risks to Amex's cybersecurity". "Any unauthorised disclosure or use of the determination, or any part of its contents, may constitute a breach of that obligation of confidence. "In the event of any actual or threatened unauthorised disclosure or use of the determination, I reserve the right to bring proceedings seeking urgent injunctive relief to restrain further disclosure or use, and take further action as may be available at law or in equity. "Further disclosure of the confidential version of that determination would undermine the integrity of the OAIC's complaint-handling process, discourage frank and open participation of interested persons and third parties and prejudice administration of the act. "The content of the determination is communicated to you for the sole and limited purpose of informing you of the outcome of the investigation of your complaint, enabling you to obtain legal advice in relation to the determination, and enabling you to exercise such rights of review as are available to you," Ms Kind wrote. The OAIC's investigation has been plagued by delays, as Amex defended its policies and denied wrongdoing. In an email, the complainant informed Ms Kind of the extreme mental toll the investigation had caused after being informed of yet another delay. "I cannot keep doing this. It's not how victims should be treated," wrote the complainant, who the ABC is not naming due to safety and privacy concerns. Ms Kind responded the same day, with an apology and attaching a letter outlining the gag order. "You are entirely right to expect we will meet the timeframes we set for ourselves, and again I apologise. "Please find attached correspondence, which contains important information about the contents of the determination and the conditions under which it is provided. I also attach the final determination. "I have expressed my personal regret in the correspondence that you have had such a difficult complainant experience, and I reiterate it again here. I hope the conclusion of this matter brings you some satisfaction and solace." Senator Shoebridge, who has raised the American Express case in federal parliament several times, said the gag order was "deeply distressing". "I'm deeply concerned about the precedent that this sets and what it says to people also seeking to make complaints about privacy breaches they have experienced at the hands of large multinationals. "When a regulator's processes favour powerful institutions and exhaust the individuals seeking justice, that is a bad outcome. "The Australian Privacy Commissioner has found that this American multinational breached privacy laws and then threatened the successful complainant with a court injunction if he tells the whole truth about it. That is so obviously wrong." A spokesperson for the OAIC defended the gag order, said it relied on "free and frank disclosure of information to efficiently and effectively investigate privacy complaints". "The OAIC considers that the disclosure of this information could cause harm to individuals, present a risk to AMEX's cyber security, and undermine the OAIC's investigation process." The spokesperson said the OAIC sought to "balance the need for transparency, regulatory guidance and deterrence on one hand, with the need to prevent harm and preserve the effectiveness of the regulatory framework on the other". Loading...