Loyalty programs have been proven to boost customer acquisition, spend and retention across most industries. However, with an estimated US$320 billion of value sitting in points accounts globally, loyalty programs have also become prime targets for sophisticated fraudsters who seek opportunities to enrich themselves via loyalty fraud.
Loyalty fraud is defined as the use of deception to intentionally secure unfair financial, personal, or third-party gains from loyalty programs. As the value stored in loyalty programs continues to grow, so does the potential payout for successful fraudsters activities. Many loyalty programs can be described as bank accounts with poor security.
Commonly publicized cases of fraud include mass data breaches and account take-overs, with several high-profile programs impacted in the past, including IHG Rewards (2022) and Hilton Honors (2014). As a result, loyalty experts, loyalty consultants and program operators need to be aware of the risks of such attacks and the most appropriate mitigation strategies.
Significant risks associated with mass data breaches and account take-overs
Within the loyalty industry, mass data breaches and account take-overs represent a significant threat to both businesses and consumers. These terms describe large-scale security incidents that specifically target customer loyalty programs.
Mass data breaches involve unauthorized access to, or theft of, customer data from loyalty program databases, often affecting numerous accounts simultaneously and compromising personal information, account details, and loyalty point balances.
The rise of social media platforms like Telegram has exacerbated this issue, with fraudsters now holding conferences to share techniques and stolen data. This trend has made it increasingly difficult for program operators to stay ahead of the curve, as hackers and fraudsters become more sophisticated in their approaches.
Account take-overs, which frequently follow such breaches or result from weak security measures, occur when fraudsters gain unauthorized access to members’ individual loyalty program accounts, allowing them to control legitimate user profiles.
This can lead to the theft of accumulated points or miles, unauthorized redemptions, and potential identity theft. Hackers employ various techniques to achieve this, including:
- Phishing: Fraudsters create fake websites or send deceptive emails to trick members into revealing their login credentials.
- Malware: Malicious software is used to infiltrate members’ devices and steal sensitive information.
- Brute Force Attacks: Automated programs attempt to guess passwords through trial and error.
- USB Charging Port Exploits: Public charging stations can be compromised to steal data from connected devices.
Once accounts are accessed, hackers may attempt to financially benefit by transferring points or miles to other accounts, redeeming points for high-value items or gift cards, selling account access on the dark web, or using personal information for identity theft.
Beyond the immediate financial losses, such breaches can severely damage brand reputation and erode customer trust, underscoring the critical importance of implementing robust security measures to protect members.
Mitigation strategies to prevent mass data breaches and account take-overs
To combat these risks, loyalty program operators should invest in implementing robust security measures and fraud prevention strategies. Recommended key approaches include:
- Enhanced Authentication:
- Implement two-factor authentication (2FA)
- Use biometric verification
- Employ risk-based authentication
- Data Protection and Encryption:
- Utilize state-of-the-art encryption techniques
- Secure data both at rest and in transit
- Regular Security Audits:
- Conduct frequent vulnerability assessments
- Address identified issues promptly
- Advanced Fraud Detection Systems:
- Implement machine learning and AI-powered systems
- Identify suspicious activities and patterns in real-time
- Employee Training:
- Educate staff on security best practices
- Emphasize the importance of data protection
- Incident Response Planning:
- Develop comprehensive response strategies
- Conduct regular drills to ensure readiness
- Member Education:
- Provide resources on account security
- Offer guidance on recognizing potential fraud attempts
- Continuous Monitoring:
- Implement systems for real-time activity tracking
- Set up alerts for unusual account behavior
- Third-Party Security Assessments:
- Regularly evaluate partners and vendors
- Ensure compliance with security standards
- Secure API Integration:
- Implement robust authentication for API access
- Monitor API usage for suspicious activity
- Complex Password Requirements:
- Enforce strong password policies
- Educate staff and customers on creating unique, complex passwords
- Regular Password Changes:
- Implement mandatory password updates
- Prevent reuse of previous passwords
Case studies of mass data breaches and account take-overs
Several major loyalty programs have been subject of very substantial mass data breaches and/or account take-overs. Studying their experience can help other programs avoid suffering similar experiences.
IHG Rewards (2022)
In September 2022, InterContinental Hotels Group (IHG) experienced a significant cybersecurity incident affecting its booking systems and mobile apps. The breach was reportedly carried out by a couple “for fun.”
The most alarming aspect of this breach was the discovery that the system password was set as “Qwerty1234.” The hacker group, TeaPea, gained access to IHG’s internal IT network by tricking an employee into downloading malicious software through a booby-trapped email attachment. They then accessed the most sensitive parts of IHG’s computer system after finding login details for the company’s internal password vault.
As TeaPea told the BBC, “The username and password to the vault was available to all employees, so 200,000 staff could see. And the password was extremely weak.”
This incident underscores the critical need for strong, unique passwords and proper access controls.
Impact:
- Widespread disruption to booking systems and mobile apps
- Potential exposure of member data
- Reputational damage and loss of customer trust
Lessons Learned:
- Critical importance of strong password policies
- Need for robust access controls and employee account security
- Importance of continuous monitoring and rapid incident response
Hilton Honors (2014)
In 2014, Hilton’s Honors loyalty program fell victim to a series of account take-overs, resulting in the theft of members’ points.
This case highlights the importance of monitoring for unusual activity. For example, a password change can often be a sign of an account take-over, particularly if it is preceded by a redemption. Automated reporting can help quickly identify these instances by generating alerts to monitoring teams.
Impact:
- Numerous members reported unauthorized redemptions of their points
- Points were used for various purchases, including Amazon gift cards
Lessons Learned:
- Necessity of implementing stronger authentication measures
- Importance of monitoring unusual redemption patterns
- Need for improved fraud detection systems
Conclusion
Loyalty program fraud, particularly mass data breaches and account take-overs, pose significant risks to both program operators and members. As fraudsters continue to evolve their tactics, it is crucial for loyalty programs to stay ahead of the curve by implementing robust security measures, fraud detection systems, and comprehensive incident response plans.
The case studies presented underscore the importance of strong password policies, proper staff training, and continuous monitoring of account activities. Simple oversights, such as weak system passwords or poorly trained customer service representatives, can lead to devastating breaches with far-reaching consequences.
By understanding the risks, implementing effective mitigation strategies, and learning from past incidents, loyalty program operators can better protect their members’ data and maintain the integrity of their programs. This includes not only technical measures but also a culture of security awareness among staff and members alike. Engaging qualified loyalty consultants to provide expert advice is recommended.
Acknowledgement
Thank you to Michael Smith, co-founder of the Loyalty Security Alliance and contributor to ‘Loyalty Programs: The Complete Guide’, whose expertise helped inform insights presented in this article.
Call to Action
Protect your loyalty program from fraud. Secure your members’ data with proactive measures. Need expert help? Contact Loyalty and Reward Co for a tailored security strategy. Our loyalty specialists will audit your program and develop robust fraud prevention measures, ensuring your loyalty program remains an asset, not a vulnerability.
References
- Smith, M. (2024). Loyalty Security Association: Insights on Loyalty Program Fraud.
- GDPR Register (accessed September 2024). ICO fines British Airways £20m for data breach affecting more than 400,000 customers.
- BBC News. (2022). IHG hack: ‘Vindictive’ couple deleted hotel chain data for fun.
- Pauli, D. (2014).’Hackers plunder Hilton ‘HHonors’ rewards points, go on shopping spree’, The Register.
- Loyalty and Reward Co. (2024). Best Practices in Loyalty Program Security.