Tanya Plibersek (Sydney, Australian Labor Party, Minister for Social Services) | Hansard source

This is a statement about a constituent who came to my office in August 2022 seeking assistance. He told me at that time that his privacy had been seriously breached and that he had been sexually assaulted. He told me that the person who had assaulted him and breached his privacy worked at American Express, where my constituent had an account. My constituent had met the accused on a dating app. They'd been dating for about 90 days. My constituent ended that contact after the alleged assault, reported it to American Express and to the police and stopped using his Amex card.

Two days prior to the alleged assault, I was informed by my constituent that the person who worked for Amex had told him that he knew where my constituent had bought his morning coffee and knew about several purchases he'd made that day. He had been using the Amex card to stalk my constituent. My constituent reported this to the police and to the Australian Financial Complaints Authority—the regulator for financial consumers. After five months, AFCA found that my constituent's privacy had indeed been breached under federal legislation, but it chose not to publish its determination. AFCA concluded, I understand, that Amex produced evidence that Amex had zero controls over its systems. That meant that any Amex employee basically anywhere in the world could access information on pretty much any Amex customer without any real controls and without traceability of who had been accessing those records. This is very concerning.

My constituent then went on to complain to the Privacy Commissioner. The Privacy Commissioner has upheld that his information has been inappropriately accessed, but the Privacy Commissioner has prevented the publication of her detailed report into this issue. It is very concerning because it is apparent that Amex has no reliable way of detecting employees, or preventing employees from, misusing their access to customer data. Roughly one million Australians hold an Amex card. That data is not fully deleted when their cards are no longer used. I raise this issue here because it is important that we have full transparency around issues of privacy such as this.

See this speech in context