American Express is writing to some card members warning that their account information has been compromised by a data breach at a third party provider.
In a letter published on the California attorney general's site on 10 March, the card firm says it has become "aware that a third party service provider engaged by numerous merchants experienced unauthorized access to its system".
The breach, which happened more than two years ago - in December 2013 - saw account numbers, names and other information, such as expiration dates, breached.
"It is important to note that American Express owned or controlled systems were not compromised by this incident, and we are providing this notice to you as a precautionary measure," says the letter.
AmEx has not revealed how many customers are affected but is advising those that are to check their accounts for fraudulent activity and report any suspicious transactions.
AmEx now says that a merchant, not a third party service provider, was breached. "We inadvertently filed an incorrect version of the customer notice with the California Attorney General," a spokesperson tells Finextra.
Cardmembers receive the correct version of the letter, which is now on the California attorney general's site.