Australia’s privacy watchdog has been told to hand over the full text of its determination against American Express, after publishing only an abridged version of an investigation that uncovered security and access control weaknesses. A motion from Greens senator David Shoebridge passed the Senate 33–21 on Thursday, giving the OAIC until 28 July to produce the complete determination and related correspondence, as reported by iTnews. Last month, the OAIC ordered Amex to implement stronger system access controls within six months, following a pair of insider privacy breaches.
If you run a wealth management or advice firm, there are two things worth sitting with here. The first is that the Amex case wasn’t a hack — it was staff misusing access they legitimately held. The second is that the OAIC tried to keep its full findings confidential, and the Senate overrode it. Regulator findings about your security posture can end up on the public record whether you like it or not. In the financial services environments we audit, the pattern is remarkably consistent: permissions grow with every role change and almost never shrink. The adviser who moved into paraplanning three years ago can usually still open every client file they ever touched.
The practical move is an access review this quarter. Map who can open client records against who actually needs to, confirm departed staff and contractors are genuinely gone from every system, and check your platforms log who accessed what and when. Amex was given six months to fix its access controls — it’s cheaper and far less public to do it before the OAIC asks.
Our financial services IT team builds access reviews and audit-ready reporting into managed IT for wealth and advice firms.
