Loyalty programs frequently encounter security challenges, with compromised third-party system links posing one of the most significant threats. These vulnerabilities put both program operators and members at risk. In this article, the risks tied to these links as examined as well as strategies to mitigate them, supported by real-world case studies to highlight the critical importance of addressing this issue within the loyalty industry.

Understanding Compromised Third-Party System links

A third-party system link refers to an integration between a primary system (such as a loyalty program) and an external service provider that offers additional capabilities or functionalities. These links facilitate various operations, such as data sharing, reward fulfillment, and customer engagement, enhancing the overall effectiveness of the primary system.

A third-party system link is compromised when it has been infiltrated by unauthorised individuals or malicious software. These third-party systems often lack the robust security protocols of the main technology stack, creating potential ‘back-door’ entry points for hackers to exploit. ⁵

Associated Risks

When third-party links are compromised, loyalty programs are exposed to serious risks. Data breaches can occur when hackers exploit weak links in interconnected systems, potentially exposing sensitive member information, including personal data and account details. Hackers may also access payment systems, POS terminals, or points redemption portals, creating further vulnerabilities. These security breaches can result in substantial financial losses for both program operators and members, while severely damaging the program’s reputation. This can lead to member attrition and generate negative publicity. Failure to adequately protect member data may also result in severe penalties and legal repercussions under various data protection regulations.⁶

Risk Mitigation Strategies

Risk mitigation strategies start with implementing robust security measures and protocols surrounding a loyalty program. To minimize exposure to the risks outlined above, businesses may want to consider the following measures:

• Regular security audits of system interconnectivity can help identify potential vulnerabilities and weak links in the network
• Penetration testing and employing ethical hacking techniques, to simulate real-world attacks and uncover security flaws that could be exploited
• Implementing robust authentication protocols, such as multi-factor authentication and strong password policies, across all interconnected systems
• Ensuring all data transmitted between systems is encrypted using industry-standard protocols adds an additional layer of security
• Thorough vetting of third-party partners‘ security measures before system integration (e.g. reviewing SOC reports)
• Continuous system monitoring should be implemented to quickly detect and respond to suspicious activities
• Developing and regularly updating a comprehensive incident response plan for addressing security breaches and fraud incidents
• Employee training on security best practices and their role in protecting the loyalty program from potential threats

These measures will strengthen the security of your loyalty program and substantially minimize exposure to the risks mentioned above.⁴

Case Study: British Airways

In 2018, British Airways (BA) experienced a significant cyber-attack that compromised the personal and financial data of approximately 400,000 customers. The breach affected the airline’s website, mobile application, and Avios loyalty program. Investigations revealed that customers were redirected to a fraudulent website where their information was harvested.¹ It is believed that the attacker may have accessed the personal data of approximately 429,612 customers and staff, including the names, addresses, payment card numbers, and CVV codes of 244,000 British Airways customers.²

This incident was partially attributed to an outdated IT system, highlighting the critical importance of maintaining current security measures. Initially, British Airways faced a substantial fine of £183.4 million, which was later reduced to £20 million. This case underscores the potential financial and reputational consequences of inadequate security protocols in loyalty programs.

Case Study: SITA Breach

The SITA breach further exemplifies the vulnerabilities associated with third-party system connections in the airline industry. As a major IT service provider for about 400 airlines, SITA’s security breach had far-reaching consequences. Hackers accessed SITA’s Passenger Service System for up to a month before detection, compromising data from Star Alliance and OneWorld members. Affected airlines included Singapore Airlines, Air New Zealand, Lufthansa, Malaysia Airlines, Cathay Pacific, Finnair, and Japan Airlines. The compromised data included passenger names, frequent flyer numbers, and program status. In response, affected airlines contacted members, advising them to change account passwords as a precautionary measure. This incident emphasizes the critical importance of avoiding the sharing of customer Personally Identifiable Information (PII), payment information, or passwords with third parties.

As loyalty program fraud continues to evolve, it is crucial for program operators and members to remain informed and proactive. Loyalty and Reward Co, as leading loyalty program consultants and customer loyalty consultants, offers a comprehensive series of articles on various aspects of loyalty program fraud. These resources provide valuable insights and strategies for safeguarding loyalty initiatives.³

Protect your loyalty program with specialized advice from the experts at Loyalty & Reward Co.

For personalized advice on protecting your loyalty program from fraud, including compromised third-party system links, we encourage you to consult with our team of expert loyalty consultants. Our tailored solutions can assist in implementing robust security measures, mitigating risks, and ensuring the long-term success of your loyalty initiative. As customer loyalty consultants, we understand the unique challenges faced by loyalty programs and can provide targeted strategies to address these issues.

Don’t allow fraud to compromise the integrity of your loyalty program. Contact Loyalty and Reward Co today to take the first step towards a more secure and resilient loyalty ecosystem. Our team of loyalty program consultants is ready to help you navigate the complex landscape of loyalty program security and fraud prevention.

Acknowledgement

Thank you to Michael Smith, co-founder of the Loyalty Security Alliance and contributor to ‘Loyalty Programs: The Complete Guide’, whose expertise helped inform insights presented in this article.

References

1. Information Commissioner’s Office (ICO). (2020). ICO fines British Airways £20m for data breach affecting more than 400,000 customers.
2. ICO fines British Airways £20m for data breach | GDPR Register. (n.d.). GDPR Register | Compliance Software Tools for Privacy Teams. https://www.gdprregister.eu/news/british-airways-fine/

3. SITA. (2021). SITA Statement About Security Incident.
4. Loyalty Security Association. (2023). Best Practices for Loyalty Program Security.
5. Smith, M. (2022). Navigating Fraud Risks in Modern Loyalty Programs. Journal of Loyalty Marketing, 15(2), 78-95.
6. Data Protection Commission. (2021). Annual Report on Data Breaches in the Travel Industry.