Overworked employees might take some solace from the belief that their road-warrior lifestyles are helping them build up hotel and airline points that they can later use to take a vacation. Imagine those employees’ disappointment when they open their rewards accounts only to discover that all of their hard-won points are gone!

 

This is exactly what happened to thousands of Hilton Honors rewards accounts members near the end of 2014, after hackers stole millions of the programs rewards points and began selling them online to other takers. United, American, and Japan Airlines experienced similar thefts in their respective awards programs in 2015. Hilton reimbursed its account members who reported that their points were stolen, but the damage had been done and inevitably, some of those account members experienced disruptions in their travel plans.

 

The hackers’ modus operandi for travel point thefts has been as unsophisticated as the security that the company had erected around reward accounts. One analysis of travel rewards programs revealed that hotel and airline companies had little more than four- to six-digit passwords for their sites, with no other user authentication. Consumers also tend to be more complacent about their travel awards accounts, and frequently use the same sign-in information for each of those programs. This allows a cyberthief to gain access to multiple accounts as soon as one account is cracked.

 

Hackers are also thwartingreward program security systems with simple spoofing schemes that fool those systems into thinking that a request to redeem airline or hotel miles is coming from a legitimate rewards program member. With a spoof, the hacker replicates the network address of a legitimate rewards member and fools the rewards computer into believing that the hacker’s sign-in is originating with that user.

 

The Incentive to Steal Rewards Points

 

Reward points are high-value, low-risk targets that are protected with minimal security. Points can be sold to brokers for cash. They can be exchanged for products or gift cards. Some hackers have gone so far as to use stolen points to book their own air travel and hotel stays.

 

More dangerously, rewards card points can be a stepping stone to a user’s more secure data, including addresses, financial account numbers, and social security number. More than 3 billionuser-loyalty rewards accounts have been opened by U.S. citizens. This vast trove of data is an enticing target for cybercriminals that have a further goal of stealing identities.

 

How to Respond if Your Points are Stolen

 

As suggested by the Hilton Honors situation, if you see that points have been stolen from any of your rewards accounts, your first order of business is to notify the company of the theft. This lays the groundwork for the company to reimburse points that may have been lost.

 

Because of the cross-pollination of passwords among a user’s rewards accounts, if you lose points from one account you should check all other accounts to confirm that they have not been targeted as well. Changing and varying passwords among accounts is also a good strategy to prevent further losses.

 

A company that runs a rewards program has different concerns and liabilities in the event of a data theft or breach from those rewards accounts. That company will likely incur substantial direct costs to recover lost data and to rebuild affected servers and databases. It may also incur liabilities to rewards account members whose points and data have been lost or compromised as a result of the breach. The company might be able to absorb these direct and third-party losses associated with the breach, but those losses can be substantial and have a direct effect on the company’s bottom line. Cyber insurance is a better option for all companies that manage rewards accounts.

 

Cyber insurance can make compensation available to cover a company’s cybertheft losses. Cyber insurance companies can also help their clients to establish better security to prevent losses in the first instance. Rewards account members who know that they are dealing with a company that provides stronger protection will be more likely to continue with the program and to remain loyal to the brand.