IHG Rewards, Hilton Honors and British Airways: loyalty program mass data breaches
1 Octubre 2024
Philip Shelper

Loyalty programs have been proven to boost customer acquisition, spend and retention across most industries. However, with an estimated US$320 billion of value sitting in points accounts globally, loyalty programs have also become prime targets for sophisticated fraudsters who seek opportunities to enrich themselves via loyalty fraud.

Loyalty fraud is defined as the use of deception to intentionally secure unfair financial, personal, or third-party gains from loyalty programs. As the value stored in loyalty programs continues to grow, so does the potential payout for successful fraudsters activities. Many loyalty programs can be described as bank accounts with poor security.

Commonly publicized cases of fraud include mass data breaches and account take-overs, with several high-profile programs impacted in the past, including IHG Rewards (2022), British Airways (2018) and Hilton Honors (2014). As a result, loyalty experts, loyalty consultants and program operators need to be aware of the risks of such attacks and the most appropriate mitigation strategies.

Significant risks associated with mass data breaches and account take-overs

Within the loyalty industry, mass data breaches and account take-overs represent a significant threat to both businesses and consumers. These terms describe large-scale security incidents that specifically target customer loyalty programs.

Mass data breaches involve unauthorized access to, or theft of, customer data from loyalty program databases, often affecting numerous accounts simultaneously and compromising personal information, account details, and loyalty point balances.

The rise of social media platforms like Telegram has exacerbated this issue, with fraudsters now holding conferences to share techniques and stolen data. This trend has made it increasingly difficult for program operators to stay ahead of the curve, as hackers and fraudsters become more sophisticated in their approaches.

 Account take-overs, which frequently follow such breaches or result from weak security measures, occur when fraudsters gain unauthorized access to members’ individual loyalty program accounts, allowing them to control legitimate user profiles.

This can lead to the theft of accumulated points or miles, unauthorized redemptions, and potential identity theft. Hackers employ various techniques to achieve this, including:

  1. Phishing: Fraudsters create fake websites or send deceptive emails to trick members into revealing their login credentials.
  2. Malware: Malicious software is used to infiltrate members’ devices and steal sensitive information.
  3. Brute Force Attacks: Automated programs attempt to guess passwords through trial and error.
  4. USB Charging Port Exploits: Public charging stations can be compromised to steal data from connected devices.

Once accounts are accessed, hackers may attempt to financially benefit by transferring points or miles to other accounts, redeeming points for high-value items or gift cards, selling account access on the dark web, or using personal information for identity theft.

Beyond the immediate financial losses, such breaches can severely damage brand reputation and erode customer trust, underscoring the critical importance of implementing robust security measures to protect members.

Mitigation strategies to prevent mass data breaches and account take-overs

To combat these risks, loyalty program operators should invest in implementing robust security measures and fraud prevention strategies. Recommended key approaches include:

  1. Enhanced Authentication:
    • Implement two-factor authentication (2FA)
    • Use biometric verification
    • Employ risk-based authentication
  2. Data Protection and Encryption:
    • Utilize state-of-the-art encryption techniques
    • Secure data both at rest and in transit
  3. Regular Security Audits:
    • Conduct frequent vulnerability assessments
    • Address identified issues promptly
  4. Advanced Fraud Detection Systems:
    • Implement machine learning and AI-powered systems
    • Identify suspicious activities and patterns in real-time
  5. Employee Training:
    • Educate staff on security best practices
    • Emphasize the importance of data protection
  6. Incident Response Planning:
    • Develop comprehensive response strategies
    • Conduct regular drills to ensure readiness
  7. Member Education:
    • Provide resources on account security
    • Offer guidance on recognizing potential fraud attempts
  8. Continuous Monitoring:
    • Implement systems for real-time activity tracking
    • Set up alerts for unusual account behavior
  9. Third-Party Security Assessments:
    • Regularly evaluate partners and vendors
    • Ensure compliance with security standards
  10. Secure API Integration:
    • Implement robust authentication for API access
    • Monitor API usage for suspicious activity
  11. Complex Password Requirements:
    • Enforce strong password policies
    • Educate staff and customers on creating unique, complex passwords
  12. Regular Password Changes:
    • Implement mandatory password updates
    • Prevent reuse of previous passwords

Case studies of mass data breaches and account take-overs

Several major loyalty programs have been subject of very substantial mass data breaches and/or account take-overs. Studying their experience can help other programs avoid suffering similar experiences.

IHG Rewards (2022)

In September 2022, InterContinental Hotels Group (IHG) experienced a significant cybersecurity incident affecting its booking systems and mobile apps. The breach was reportedly carried out by a couple “for fun.”

The most alarming aspect of this breach was the discovery that the system password was set as “Qwerty1234.” The hacker group, TeaPea, gained access to IHG’s internal IT network by tricking an employee into downloading malicious software through a booby-trapped email attachment. They then accessed the most sensitive parts of IHG’s computer system after finding login details for the company’s internal password vault.

As TeaPea told the BBC, “The username and password to the vault was available to all employees, so 200,000 staff could see. And the password was extremely weak.”

This incident underscores the critical need for strong, unique passwords and proper access controls.

Impact:

  • Widespread disruption to booking systems and mobile apps
  • Potential exposure of member data
  • Reputational damage and loss of customer trust

Lessons Learned:

  • Critical importance of strong password policies
  • Need for robust access controls and employee account security
  • Importance of continuous monitoring and rapid incident response

British Airways (2018)

British Airways suffered a significant data breach in 2018, affecting around 500,000 customers. The breach was attributed to a sophisticated, malicious criminal attack on the airline’s website and app.

A particularly concerning aspect of this case was the customer service response. When members couldn’t log in to their accounts after the introduction of a complex password system, customer service representatives suggested using “Pineapple3” as a password “because that works.” This highlights the critical need for proper security protocols and staff training on security exposure.

Impact:

  • 500,000 customers affected
  • Exposed data included personal and financial details
  • £20 million fine imposed by the UK’s Information Commissioner’s Office

Lessons Learned:

  • Necessity of regular security audits and updates
  • Importance of robust data protection measures
  • Need for comprehensive incident response planning

Hilton Honors (2014)

In 2014, Hilton’s Honors loyalty program fell victim to a series of account take-overs, resulting in the theft of members’ points.

This case highlights the importance of monitoring for unusual activity. For example, a password change can often be a sign of an account take-over, particularly if it is preceded by a redemption. Automated reporting can help quickly identify these instances by generating alerts to monitoring teams.

Impact:

  • Numerous members reported unauthorized redemptions of their points
  • Points were used for various purchases, including Amazon gift cards

Lessons Learned:

  • Necessity of implementing stronger authentication measures
  • Importance of monitoring unusual redemption patterns
  • Need for improved fraud detection systems

Conclusión

Loyalty program fraud, particularly mass data breaches and account take-overs, pose significant risks to both program operators and members. As fraudsters continue to evolve their tactics, it is crucial for loyalty programs to stay ahead of the curve by implementing robust security measures, fraud detection systems, and comprehensive incident response plans.

The case studies presented underscore the importance of strong password policies, proper staff training, and continuous monitoring of account activities. Simple oversights, such as weak system passwords or poorly trained customer service representatives, can lead to devastating breaches with far-reaching consequences.

By understanding the risks, implementing effective mitigation strategies, and learning from past incidents, loyalty program operators can better protect their members’ data and maintain the integrity of their programs. This includes not only technical measures but also a culture of security awareness among staff and members alike. Engaging qualified loyalty consultants to provide expert advice is recommended.

Credit

The insights presented in this article draw heavily from the expertise of Michael Smith, Co-Founder of the Loyalty Security Alliance. His contributions have been instrumental in shedding light on the complex world of loyalty program fraud and security.

Call to Action

Protect your loyalty program from fraud. Secure your members’ data with proactive measures. Need expert help? Contact Loyalty and Reward Co for a tailored security strategy. Our loyalty specialists will audit your program and develop robust fraud prevention measures, ensuring your loyalty program remains an asset, not a vulnerability.

Referencias

  1. Smith, M. (2024). Loyalty Security Association: Insights on Loyalty Program Fraud.
  2. GDPR Register (accessed September 2024). ICO fines British Airways £20m for data breach affecting more than 400,000 customers.
  3. BBC News. (2022). IHG hack: ‘Vindictive’ couple deleted hotel chain data for fun.
  4. Pauli, D. (2014).’Hackers plunder Hilton ‘HHonors’ rewards points, go on shopping spree’, The Register.
  5. Loyalty and Reward Co. (2024). Best Practices in Loyalty Program Security.
<a href="https://loyaltyrewardco.com/author/philip/" target="_self">Philip Shelper</a>

Philip Shelper

Phil es el Consejero Delegado y Fundador de Loyalty & Reward Co, la consultora líder en fidelización. Loyalty & Reward Co diseña, implementa y opera los mejores programas de fidelización del mundo para las mejores marcas del mundo. Anteriormente, Phil había desempeñado funciones de fidelización en Qantas Frequent Flyer y Vodafone. Phil es miembro de varios cientos de programas de fidelización e investigador de la psicología y la historia de la fidelización, todo lo cual utiliza para comprender la dinámica esencial de lo que hace que un programa de fidelización tenga éxito. Phil es autor de "Programas de fidelización: The Complete Guide', el libro más completo sobre programas de fidelización del planeta.

Lea las últimas opiniones de nuestros expertos

Do Loyalty Programs Work? Just ask Tesco

Tesco Clubcard provides an exceptional case study of a company that has continually utilised data and technology to revolutionise their customer engagement...

Hable con nosotros

¿Necesita un mejor programa de lealtad? ¿Quiere aprovechar nuestra experiencia? ¡Hable con nosotros!