Airline data breach targets a fraudster favorite: Loyalty programs

Advertisements like these on the dark web likely are the result of loyalty account takeovers.
Advertisements like these on the dark web likely are the result of loyalty account takeovers. Photo Credit: Courtesy of Forter/Daniel Shkedi

It's not yet certain whether a recent breach that exposed the loyalty program data of numerous carriers within the Oneworld and Star alliances will lead to a fresh spate of frequent flyer program account hacks and takeovers.

But e-commerce fraud prevention experts agree that the attack is just the latest proof that the pandemic has done little to suppress interest among fraudsters in loyalty points. 

"It's a sign of things to come," said Stuart Barwood, director of global airline strategy for the fraud prevention company Forter. "If anything, it is going to get worse, because these loyalty programs are being opened up to more partnerships."

The attack, which was made public early this month, targeted servers on which the technology company SITA stores data for its Horizon Passenger Service System. United, American, Lufthansa, Finnair and Singapore Airlines are just some of the Oneworld and Star Alliance carriers whose customers were exposed.

Close to 50 airlines use SITA Horizon, according to Barwood, but the breach was able to filter to carriers that don't use Horizon because airlines within alliances share frequent flyer information so that they can provide reciprocal loyalty privileges.

The number of accounts exposed was voluminous. Lufthansa, for example, said 1.35 million Miles and More members were impacted by the breach. However, across the impacted carriers, the breach appears to have only exposed names, account numbers and status levels. The most sensitive information, notably passwords and emails, was not exposed.

After the attack, airlines reassured customers that their accounts remained safe. Carriers told loyalty members that it is a good practice to reset passwords periodically, but that doing so in this case wasn't strictly necessary.

Chris Staab, co-founder of the U.K.-based Loyalty Security Association (LSA), agreed that damage from this attack is limited. "They didn't get the data they were looking for," he said.

But Barwood said fraudsters are doubtlessly already working to put the data to use by cross-linking it with other loyalty program breaches. Such research has a strong chance of paying off, since people often use the same or similar passwords for various accounts and because the bad actors have no shortage of data breaches from which to work. Research last summer by the digital risk protection company Digital Shadows found more than 15 billion stolen records in dark web criminal markets. Forter estimates that approximately 10% of those are travel related, including loyalty points, loyalty rewards and username and password combinations, said Daniel Shkedi, the company's senior product marketing manager. 

More recent glimpses at dark web marketplaces provide alarming examples of the vulnerability of loyalty accounts. In one market alone, Shkedi saw points from 32 airline loyalty programs posted for sale. E-gift cards from airlines and hotels are also easy to find.

In a presentation put on by the LSA last month, Kevin Lee, trust and safety architect at the digital security company Sift, showed a marketplace in which 34,000 Southwest loyalty accounts were for sale, along with 24,000 British Airways accounts, 17,000 Accor Hotels accounts, 7,000 Hilton accounts and 171,000 Choice Hotels accounts.

Lee estimated that 1 in 300 log-in attempts to loyalty programs are account takeover attempts. Programs at airlines and hotels are among the most common to be hit.

The LSA, meanwhile, estimates that 1% of airline points redemptions globally are fraudulent.

Account takeover has a higher growth trajectory than payment fraud, Lee said.

"The reason is that more people are putting a lot of sensitive or high-quality data about themselves or about their credentials online," he explained. Furthermore, information is interconnected, so account takeovers can spawn payment fraud. 

Shkedi said that he has yet to see airline points and accounts for sale on the dark web that can be tied specifically to the recent SITA breach. But he said that over the course of the pandemic, there has been an increase in the amount of loyalty account data available to fraudsters.

Fraudsters, said Staab, are likely hoarding stolen travel accounts until the recovery has materialized in hopes that they'll be more valuable at that time.

"There is a lot of evidence that account takeovers have increased, but because travel is very low, fraudsters are less likely to pull the trigger and actually redeem," he said. "So they are sitting on the accounts."

To protect their accounts, loyalty program members should maintain distinct passwords and routinely update those passwords, experts say. They also should keep track of how many points they have and periodically check to see that points haven't disappeared. 


From Our Partners

From Our Partners

Discover Mexico for the Western Traveler Part 1
Discover Mexico for the Western Traveler Part 1
Watch Now
Experience Something New with United Airlines
Experience Something New with United Airlines
Read More
Discover Mexico for the Western Traveler Part 2
Discover Mexico for the Western Traveler Part 2
Register Now

JDS Travel News JDS Viewpoints JDS Africa/MI