Loyalty Programs: Hot Target for Cyber Criminals

Cyber criminals are continually looking for new targets. In recent years, loyalty programs have become the hot target for cyber attackers.

One of the least highlighted aspects of recent data breaches is how loyalty programs compromised organizations’ network security. In late November, this year, Marriottdisclosed that out of the 500 million guests affected by a 4-year long data breach, account information of 327 million guests relating to the company’s Starwood Preferred Guest (“SPG”) had been accessed by an unauthorized party.

SPG is the loyalty program of Starwood Hotels & Resorts Worldwide – the hotel chain acquired by Marriott in September 2016. Early this year, Marriott completed the integration of the two companies’ loyalty programs. It’s too early to tell what would become of the exposed 327 million Marriott-Starwood loyalty program account information.

With the exposed 327 million Marriott-Starwood loyalty program account information, Marriott joins other organizations that have to deal with the fallout of data breaches involving loyalty program account information. A quick search on the Dream Market, an online underground market, reveals that a number of loyalty program account information from different companies are sold at a discounted price.

Security Risks of Loyalty Programs

Loyalty program is a billion-dollar industry. According to Bloomberg, loyalty program is a $238-billion industry. In a loyalty program, points earned are used to exchange for merchandise, book flights or hotels, or even sell to online brokers. Loyalty points, therefore, are good as cash, making them a hot target for cyber attackers.

Motherboardreported that an anonymous seller on the Dream Market sells stolen 100,000 Hilton’s loyalty points for just under $900. “While the amount of Points required to redeem Standard Room Rewards varies by hotel, room, booking and stay date, the number of Points required for a reward stay starts as low as 5,000 Points per night,” Hilton’s own websitesaid.

Unlike Marriott, which specifically disclosed data breach affecting loyalty program account information, what Hilton disclosed were data breaches from November 18 to December 5, 2014 and April 21 to July 27, 2015 involving an unspecified number of “payment card information”.

Motherboard also reported that on the Dream Market, fraudsters are selling Delta Skymiles loyalty points, with one of the reviews showing an image of a fraudster sitting on a Delta flight. In April, this year, Deltadisclosed that [24]7.ai, a company that provides online chat services for Delta, had been involved in a cyber incident from September 26 to October 12, 2017. Delta, however, specified that “certain customer payment information for [24]7.ai clients, including Delta, may have been accessed – but no other customer personal information, such as passport, government ID, security or SkyMiles information was impacted.”

Top Reasons Why Loyalty Programs are Hot Target for Cyber Criminals

Here are the top reasons why loyalty programs are the hot target for cyber criminals:

Lack of Due Diligence on the Part of Loyalty Program Members

People have long been protective of their credit card data, but they don’t place the same protection on their loyalty points accounts. A survey conducted by Connexions Loyaltyshowed that loyalty program members rarely monitor their loyalty program accounts, with most checking their accounts every few months and 10% said they’ve never logged in.

Many loyalty program members also re-use the same username/password combination in different loyalty programs. This makes it easy for cyber attackers to penetrate different loyalty programs using the same username/password combinations.

Lack of Due Diligence on the Part of Companies Offering Loyalty Programs

While loyalty programs have long been viewed as a means to make more profit by keeping current customers, companies offering loyalty programs don’t exercise the same level of diligence in protecting loyalty program account information in the same way they’re protecting their customers’ credit card information. The recent Marriott data breach, for instance, showed that the company only encrypted customers’ credit card information, but provided no encryption to personally identifiable information such as passport numbers.

Aside from loyalty point balances, a trove of data is at stake in loyalty program account information. Data that comes along with loyalty program involves personally identifiable information and financial information, including, but not limited to name, mailing address, phone number, email address, payment card numbers and payment card expiration dates.

With the trove of data that comes along with the loyalty program, cyber criminals see loyalty program as a one-stop shop when it comes to data breaches. This trove of data has value to cyber attackers as this can be sold or exchange for cash or other digital currency, while buyers could use this data for malicious activities such as identity theft.

A review conducted by CreditCards.comon 10 frequent flier and 17 hotel loyalty websites found that half relied on a 4-digit PIN or a password with 6 characters or less, while only a third provided 2-factor authentication such as challenge questions or verification codes sent to the account holder’s smartphone.

Respondents of the Connexions Loyalty survey said that if they were to encounter a data breach, 1 in 4 would leave the loyalty program, while 17% said they would stop doing business with the organization altogether.

When it comes to loyalty program account information, your organization is at odds with malicious insiders or malicious outsiders. Both malicious insiders and malicious are armed with tools that could penetrate your organization’s network, stealing your organization’s loyalty program account information.

Malicious outsiders, for instance, could exploit a known security vulnerability in a server operating system or launch a phishing attack. In a phishing attack, attackers send malicious emails with malicious links or attachments to any of your organization’s staff. When any of this attachment or link is clicked, a malicious software (malware) is downloaded into your organization’s network, giving malicious attackers access to your organization’s trove of data, including loyalty program account information.

Contact ustoday, if you need assistance in protecting your organization’s loyalty program account information from either malicious insiders or malicious outsiders.