The case followed a lengthy investigation into insider security risks within financial institutions, examining how employees can misuse legitimate access to sensitive customer data.

According to the OAIC, the threat extends beyond financial fraud and can include risks linked to domestic and family violence, political targeting, espionage, and other forms of misuse.

Privacy commissioner Carly Kind said the matter highlighted the importance of robust access controls in organisations that hold large volumes of personal information.

The regulator found that American Express had failed to adequately mitigate the risk of unauthorised employee access to customer information. While the OAIC did not publish the full determination, citing confidentiality concerns and the potential for cyber security risks, it said the findings underscored the need for organisations to address insider threats as a core component of their security strategies.

As part of the determination, American Express has been ordered to compensate the complainant for economic and non-economic loss, reimburse complaint-related expenses, and provide a written apology signed by a sufficiently senior company representative.

The company must also introduce technical safeguards that allow it to restrict employee access to specific customer records, particularly those belonging to vulnerable or high-profile individuals. In addition, it has been directed to implement account-level access logging and action logging across relevant systems, creating time-stamped records whenever employees view or modify customer information.

The OAIC said the case reinforces the critical role of identity, access management and audit logging controls in protecting customer data and maintaining compliance with Australian privacy obligations.