Back to Blog
Consumer Rights

The Enemy Within: The American Express Scandal and the Employee Who Spied on Their Ex

NakedPact Editorial Committee
Reviewer: Carmelo G.
Comitato Editoriale NakedPact
28 Giugno 2026
9 min read
The Enemy Within: The American Express Scandal and the Employee Who Spied on Their Ex

Can an American Express employee spy on an ex-partner using customer data?

Yes, according to a recent scandal, an American Express employee abused their access privileges to illegally monitor the ex-partner's financial transactions. This case highlights a serious breach of privacy and trust, raising crucial questions about consumer data security.

Imagine discovering that someone inside your bank or credit card company is spying on every purchase you make. Not an anonymous hacker, but an employee with direct access to your data. That's exactly what happened in the American Express scandal: an employee used company systems to track the ex-partner's buying habits, turning trust into a nightmare.

This isn't a dystopian movie. It's the reality of how personal data can be manipulated by those who should protect it. In Italy, the Data Protection Authority has already sanctioned similar cases, but the path to true protection is still long. Here's what you need to know to defend yourself.

How is such abuse possible?

Companies like American Express have massive databases full of transactions, balances, and personal data. Employees, especially in customer service or security, often have access to these systems for work purposes. But when strict controls and frequent audits are lacking, anyone with bad intentions can take advantage.

In this specific case, the employee used their authorized account to search and view the ex-partner's transactions without any work-related reason. This is a classic example of an 'insider threat,' which is often more dangerous than an external attack because it exploits trust and system knowledge.

What are your rights in Italy?

The European Union's General Data Protection Regulation (GDPR) gives you powerful tools. Every company must ensure data is accessible only to authorized personnel for legitimate purposes. If you discover abuse, you have the right to file a complaint with the Data Protection Authority, which can impose hefty fines (up to 4% of global turnover).

Additionally, you have the right to ask the company for a report on who has seen your data and why. If you suspect abuse, you can submit a formal data access request (Article 15 GDPR) and demand immediate deletion of any unauthorized accesses.

How to protect yourself from internal abuse?

You can't control every employee of a large company, but you can take some precautions. First, use services that offer access notifications: some banks and credit cards alert you via email whenever someone accesses your account. Activate these notifications.

Second, diversify your financial tools. Don't put all your eggs in one basket: if one card is compromised, you have alternatives. Finally, immediately report any suspicious activity, such as strange calls from customer service or transactions you don't recognize.

The American Express scandal reminds us that the enemy can be within the walls. But with awareness and action, you can turn vulnerability into power. In Italy, the GDPR is your shield: use it.

Compared to the American model, where the California CCPA/CPRA offers similar but often less impactful protections, Italy and the EU have stricter rules. However, even here, personal vigilance is key: never take your data security for granted.

🔍 Quick Guide: How to Act if You're a Victim of Corporate Espionage
1. Gather evidence: save emails, screenshots of suspicious transactions, and record dates and times.
2. Contact the company (e.g., American Express) and request an access report to your data (Article 15 GDPR).
3. If you don't get a response, file a complaint with the Italian Data Protection Authority (www.garanteprivacy.it).
4. Consider filing a criminal complaint for unauthorized access to a computer system (Article 615-ter of the Italian Penal Code).
File a Complaint Now
The widget is an interactive 4-step guide for those who suspect they've been spied on by an employee of a company like American Express. Each step is highlighted with a blue color and a hover effect to draw attention. The red 'File a Complaint Now' button links directly to the Italian Data Protection Authority's site, making action immediate. The design is mobile-friendly and uses a card layout for easy reading. Steps cover evidence gathering, formal GDPR request, complaint to the Authority, and criminal report, providing a complete path.
NakedPact Logo

NakedPact Editorial Committee

Article created by the NakedPact editorial team. Our mission is to analyze, simplify, and expose unfair terms and hidden risks in everyday contracts to protect citizens and consumers.

Do you own a website?

Do you own a website?

Want to communicate your data processing transparency to your users? Dynamically use our badge and showcase your platform's compliance.

🛡️ Protect your rights with one click

Don't risk signing abusive clauses. Install the free NakedPact extension for Chrome or Firefox and instantly analyze any contract on the web.

Don't trust, verify.

Now that you know the risks, don't sign blindly. Upload your contract to NakedPact and let AI find the hidden clauses for you. It's 100% free.

Analyze Your Contract Now

Rispettiamo la tua privacy

Usiamo i cookie per migliorare la tua esperienza e personalizzare gli annunci. Scopri di più.

NakedPact Logo

Estensione Chrome

Analizza i contratti e i Termini di Servizio direttamente sul tuo browser con l'estensione NakedPact.