Privacy Ninja



        • Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Amex Fined £90,000 for Sending 4 Million Spam Emails in a Year

Amex Fined £90,000 for Sending 4 Million Spam Emails in a Year

The UK data regulator has fined American Express (Amex) £90,000 for sending over 4 million spam emails to customers within one year.

“During the investigation the ICO found that Amex had sent over 50 million, of what it classed as, servicing emails to its customers,” the UK Information Commissioner’s Office (ICO) said.

“The ICO revealed that for nearly 12 months, between 1 June 2018 and 21 May 2019, 4,098,841 of those emails were marketing emails, designed to encourage customers to make purchases on their cards which would benefit Amex financially.”

Amex’s argument that they were servicing emails designed to inform their customers of ongoing campaigns was deemed groundless by the UK Information Commissioner’s Office (ICO).

As the data regulator discovered, complaints showed the messages were instead direct marketing emails sent to customers who opted out.

The company also rejected the complaints and decided not to review its marketing model, considering that the marketing emails were a requirement of Credit Agreements with customers.

“Our investigation was initiated from just a handful of complaints from customers, tired of being interrupted with emails they did not want to receive,” added Andy Curry, ICO Head of Investigations.

Also Read: Data Protection Officer Singapore | 10 FAQs

“I would encourage all companies to revisit their procedures and familiarise themselves with the differences between a service email and a marketing email, and ensure their email communications with customers are compliant with the law.”

Direct marketing emails classified by Amex as servicing emails
Direct marketing emails classified by Amex as servicing emails

By sending marketing emails to those who didn’t freely consent to receive them, Amex broke Regulation 22 of the Privacy and Electronic Communications Regulations 2003 (PECR) that give people specific privacy rights in relation to electronic communications.

While the UK data watchdog can impose monetary penalties of up to £500,000 on data controllers, it decided to fine Amex only £90,000 because the company did not “deliberately set out to contravene PECR in this instance.”

Also Read: Practitioner Certificate in Personal Data Protection: Everything You Need to Know

Amex can pay this fine by June 17 and, if the payment is made in advance, the Commissioner will also reduce it by 20% to £72,000.

“This is a clear example of a company getting it wrong and now facing the reputational consequences of that error,” the ICO Head of Investigations added.

“The emails in question all clearly contained marketing material, as they sought to persuade and encourage customers to use their card to make purchases.”

In April, the financial services American Express company reported a net income of $2.2 billion for Q1 FY2021 and Q1 revenue of $9.1 billion.



Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection


We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.


Click one of our contacts below to chat on WhatsApp

× Chat with us