The timing associated with this notification is almost as disturbing as the potential breach itself.  2013 was largely considered the “year of the breach”, until 2014 came along and continued the trend.  A compromise that went unnoticed for 3 years is a worst case scenario, but one that should cause a concerned pause regardless.

http://www.csoonline.com/article/3045121/security/american-express-warns-customers-about-third-party-breach.html