Why Hackers Are Targeting Your Airline Rewards Points and Miles – and How to Keep Them Safe

Cybercriminals have set their sights on breaching frequent flier accounts and cashing in on stolen miles. Here's how travelers can safeguard their accounts from these attacks.

For many travelers, airline miles and hotel loyalty points hold significant value, serving as a versatile form of currency that enables them to book flights and accommodations around the globe. However, the prospect of malicious hackers infiltrating their frequent flier accounts may not have crossed the minds of many. Nonetheless, experts advise travelers to exercise vigilance over their frequent flier activity, much like they do with their bank and credit card accounts.

According to Kurt Long, the founder of cybersecurity firm Bunkr, the theft of points and miles has been on the rise in recent years. This increase can be attributed, in part, to major data breaches at companies like Starwood/Marriott, MGM, Star Alliance, and OneWorld. These breaches resulted in cybercriminals gaining unauthorized access to travelers' information, including usernames and passwords. Additionally, a reduced level of travel during the pandemic contributed to the vulnerability of these rewards accounts.

"Most people don't routinely check their account balances, and during the pandemic, they also weren't utilizing their points," Long explained. "At the same time, rewards programs were distributing a substantial number of points, making them a more appealing target for hackers."

Long noted that the security regulations in the travel sector tend to be less stringent compared to heavily regulated industries such as banking, wealth management, and healthcare. Consequently, there are fewer safeguards in place to protect travelers in case of data breaches.

Gary Leff, a blogger at ViewFromTheWing.com, who specializes in frequent flier points and miles, acknowledges the prevailing belief that theft of points and miles is increasing, but obtaining concrete data to substantiate this claim remains challenging. Many loyalty programs closely guard their actual fraud levels.

Airlines do not divulge extensive information about the measures they implement to prevent the theft of customers' points and miles. When questioned, a representative from Delta simply stated, "Information security is certainly something our teams are working on improving for our customers." Similarly, a representative from American Airlines emphasized, "Data security is a top priority for our customers, and we continue to enhance our security measures on aa.com to further protect their personal information."

Once hackers gain access to your account, they may utilize your points and miles for actual hotel stays and flights or convert the points into cash at participating retailers, such as Amazon.

"Criminals may also redeem the points themselves and subsequently sell the rewards," noted Steve Weisman, author of Identity Theft Alert and a professor at Bentley University, where he teaches about white-collar crime. As an example, he mentioned a case where Russian hackers used British Airways miles for flight upgrades, hotels, and rental cars, which they then sold to unsuspecting customers on seemingly legitimate websites.

"They are highly organized, which the public may not fully comprehend," Long added. "They are well-funded, develop software, and possess a range of tools. When they acquire your personal information, they use automated systems to identify vulnerabilities. Travel presents a lucrative market for them."

Here's what you need to know to protect your points and miles accounts from potential hacks.

How to Protect Your Frequent Flier Accounts Unlike bank accounts, which provide monthly statements, travelers typically need to log in to their accounts to monitor their points and miles balance. Ensuring robust password management, employing unique, complex passwords for each account, is essential in preventing hackers from gaining unauthorized access, according to Long. Reusing the same password for multiple accounts or using slight variations of it can pose a security risk. If cybercriminals obtain one password, they may attempt to use it on other accounts.

Access to your mileage plan account could also enable hackers to exploit other aspects of your life, particularly if credit cards are linked to airline and hotel accounts. Additionally, the more information they gather about you, such as your employer, address, phone number, and more, the greater the potential for harm, including fraudulent credit card applications or loans taken out in your name.

Long recommends considering a password manager that can generate strong passwords and securely store them. Furthermore, two-factor authentication, involving two knowledge factors, such as a password and a one-time PIN sent to your mobile phone via text, can add an extra layer of security, slowing down cybercriminals.

Another tactic that travelers should be cautious about, as outlined by Justin Lavelle, a scams prevention expert at BeenVerified.com, is falling for email or text messages claiming to be from airlines, travel websites, or travel agencies. These messages inform recipients that they've won additional miles or a flight and provide a contact number or a link to claim the prize. When individuals call or follow the link, they unknowingly engage with scammers who request personal information, including their airline account number. This information is then sold to other scammers. It's crucial to exercise skepticism when encountering unexpected emails; if you are unfamiliar with the sender or the message appears suspicious, refrain from clicking on it.

"I find the single best thing to do in protecting your miles is to check your account regularly," advised Leff. "I'm not going to log in to every airline's website daily, but I will visit AwardWallet.com, click one button, and update most (though not all) of my account balances. This way, I can immediately detect any unauthorized point deductions from my account."

What to Do If Your Airline Miles or Hotel Points Are Hacked Points are considered your property, and despite their intangible nature, they hold monetary value, making their theft a criminal offense.

The first step you should take is to contact the airline or hotel company and inform them that you did not authorize the use of your stolen miles or points. Request that they restore the stolen points to your account.

Ben Farrow, a LegalShield partner attorney, explained that while companies are not legally obligated to return the points or miles, most airlines and hotels typically do so, especially if the company's negligence played a role in the breach. If a company was found to be at fault, it could be held responsible for compensating customers for their losses in a court of law. However, Farrow emphasized that companies often choose to return the points and miles to maintain the loyalty of their frequent flier customers.

If the airline or hotel refuses to refund the stolen miles, Farrow suggested considering filing a criminal complaint with your local sheriff's department. While law enforcement may have limited success in apprehending the criminal, due to potential jurisdictional issues and extradition challenges, having a criminal report on file can be beneficial. Subsequently, you can file a complaint with the Federal Trade Commission (FTC), citing the company's mishandling of your data, which led to the loss of your points and miles. Although the FTC won't investigate individual complaints, it will aggregate the data, potentially leading to the development of regulations addressing the issue.

Farrow noted, "Remember those auto warranty calls that were all over the place? They all got shut down because enough people complained to the FTC. Until enough people voice their concerns about issues like this, change won't happen."