Written by: Pooja Deshmukh from Zscaler
Are you a frequent traveler? If so, you probably participate in at least one rewards program in which you accrue airline miles or earn hotel points. The hospitality industry practically invented these loyalty programs and they’ve been enormously popular, delivering value to customers and merchants alike. It turns out, membership account data is valuable too when it falls into the wrong hands.
Credit cards are not the only thing hackers are after. Using only your rewards points, they can buy anything, from a fountain pen to a luxury perfume, from a meal in Paris to a stay in a beachside resort!
In the last couple of months, we have seen multiple data breaches in the hospitality industry. In October, it was reported that a major international hotel chain experienced a breach in which some customer information was revealed, including names, addresses, email, and rewards membership numbers. In the same month, an airline suffered a massive breach, affecting up to 94 million passengers, with the leakage of frequent flyer numbers and historical travel data. In both of these cases, the companies provided assurances that no customer financial data was exposed.
Are such assurances enough? Because no credit card numbers were exposed, the companies escape regulatory fines and customers assume their money is safe. But what is regulated data—and is it the only data that matters?
Regulatory authorities provide strict guidelines for protecting certain types of sensitive data. In most cases, this includes PCI (payment card information), PII (personally identifiable information, such as Social Security numbers), as well as data protected by HIPAA and other regulations. While such protections are essential, they aren’t the only kinds of information that bad actors are looking to get their hands on.
The price of a piece of data on the black market is a good indicator of its value. According to Experian, a Social Security number is sold on average for $1, while an American credit card number is sold for $10. But a rewards membership number may be sold for between $35 and $200 or more.
Today, rewards membership information is the new “hot data” — with good reason. Technically, membership information can be traded for cash, as businesses buy and sell rewards points. Scammers can perform unauthorized transfers of your reward points into accounts they’ve set up or to gift cards, which can be used at a variety of retailers with no ID required. Your account is emptied and, unless you check your points regularly, you’re not likely to notice the discrepancy for months.
Breaches that result in the loss of membership data don’t just affect members; the businesses can take a considerable hit, too. They might not have to pay fines as they would with the loss of hard-payment information like credit card numbers, but they may have to deal with fraudulent activities on their customers’ accounts for years to come. They may have to repay users for the miles stolen and pay for monitoring services when passport data is breached. They might have to monitor bookings and transfer membership/rewards points to avoid potential fraud. And they’ll almost certainly have to deal with the public relations fallout from failing to protect customer information.
In these most recent breaches, the companies expressed confidence that there was no leak of highly regulated financial data, but that doesn’t mean there was no loss of valuable data. There was. Companies need to learn that the loss of non-regulated data can cost them in significant ways and they need to protect this data with all the rigor they apply to the regulated data.