Airline IT Provider Hacked

Akamai, a cybersecurity company in the loyalty space, showed in a report that over 100 billion credential stuffing attacks occurred between July 2018 and June 2020. These attacks happened because hackers used stolen passwords to gain access to multiple accounts owned by one person. Out of these accounts, about 63 billion targeted were in retail, travel, and hospitality. 

However, the scary thing about these hacks is WHY they happen. Hackers do everything they can to access your accounts not only for your points, but also for your personal information. This is because they can use your data to build a profile for you that they can sell on the dark web for identity fraud. 

To protect yourself from fraud while traveling, check out our article on Apps Every Traveler Should Have on Their Phone for tips on how to travel safely.

According to Steve Ragan, Akamai’s security researcher: 

“Criminals are not picky―anything that can be accessed can be used in some way. This is why credential stuffing has become so popular over the past few years. These days, retail and loyalty profiles contain a smorgasbord of personal information, and in some cases financial information too. All of this data can be collected, sold, traded, or even compiled for extensive profiles that can later be used for crimes such as identity theft.”  

When the COVID-19 pandemic started in the first quarter of 2020, hackers took advantage of the situation and circulated password combination lists so they could target different commerce industries. This led to a significant uptick in criminal inventory and sales related to loyalty programs. 

In a recent news article from the Associated Press (AP) dated March 6, 2021, hackers were able to access the SITA Passenger Service System, an Atlanta-based company that manages ticket processing and frequent-flier data for major global airlines. 

The incident compromised the personal data of an unspecified number of travelers, including those from Star Alliance and OneWorld. 

Spokesman Sandro Hofer would not say how many airlines were exactly affected. However, the hack already occurred for up to a month before the seriousness of the case was confirmed on February 24. 

Aside from the two airlines mentioned above, Singapore Airlines, New Zealand Air, and Lufthansa were also among those affected by the breach. 

As stated in AP’s report, Malaysia Airlines, Finnair, Japan Airlines, and Cathay Pacific had either issued statements or reached out to their frequent flyer members to inform them about the hack. 

On the other hand, United Airlines believed the only customer data potentially accessed by the hackers were names, frequent flyer numbers, and program status. The company recommended via email that frequent flyer customers should change their passwords as a cautionary measure. 

Following this report, an article from TravelPulse stated that millions of travelers have already been affected by the global airline data breach. In fact, Tomi Pienimaki, the Chief Digital Officer for OneWorld member Finnair, said that approximately 10% of loyalty customers had been targeted by the hack. 

In the words of Kevin Lee, a risk expert for the digital security firm Sift, loyalty programs are “almost a honeypot for hackers”―they’re easy to sign up for, shielded by flimsy passwords and often neglected by users. 

While these programs and their appetite for data have grown, security in cyberspace has not kept pace. 

State of The Internet and Frequent Flyer Programs Security 

A recent report from Akamai says reward and loyalty points can be cashed out or traded for gift cards in local retail stores. It’s easy to do this because redeeming these points does not require a person to enter a password or present an identification card (ID). 

What else? 

According to a report by Comparitech, stolen reward miles are being sold on the dark web. The price varies depending on the number of miles and the demand from an airline. 

While cryptocurrency transactions are recorded in a public ledger online, hackers are still able to use different methods such as Bitcoin to conceal their illegal transactions from authorities. 

Delta and British Airways are among the most commonly found miles for sale on the dark web. 

With all this information, how can you protect your airline miles from being stolen, sold on the dark web, or used for illegal purposes? 

Comparitech offers tips on how to protect your account: 

• Shred your boarding pass after a flight. It’s easy for hackers to access your travel plans, change or cancel future reservations, steal unused frequent flyer points, etc. By shredding your boarding pass before throwing it, you provide no room for a hacker to break into your accounts. 
• NEVER post a photo of your boarding pass online. Hackers are capable of finding any passenger’s name record using the 6-digit codes printed on boarding passes and luggage tickets. Don’t give them any opportunity to do that. 
• Use a strong and unique password for your frequent flyer account. As much as possible, use different passwords for each of your loyalty programs. This is because once a hacker finds a password, he or she can often break into multiple accounts. However, if your accounts are secured with different passwords, there’s less chance for the hacker to access all your loyalty programs. 
• Monitor your account regularly for any suspicious activity. Keeping an eye on your account can help you spot potentially fraudulent activity and prevent any financial or travel losses before they happen. 
• Refrain from putting your airline account number on a baggage tag. It’s normal to place your name on a baggage tag, but don’t include your airline account number on it! You have to be smart about details that are confidential and those that are not. 
• Avoid using public Wi-Fi to access your account. Simple reason: Public Wi-Fis are not secure. You shouldn’t use them to access your sensitive accounts as these platforms make ideal hunting grounds for cyber criminals. 
• Use Experian’s Dark Web Scanner to see if your personal information is on the dark web. 

I would also caution travelers from buying miles on award tickets from different online mileage brokers prominently advertised on Google searches.  Even the more reputable ones purchase the miles they sell from random individuals, so I would be worried that they could unknowingly purchase stolen miles from someone and in turn resell it to you in the form of an award ticket. Although I have not had any experience with this personally, and have yet to hear from anyone who ended in a situation like this, I would still caution it as a possibility. If you have purchased an award online which turned out to be stolen miles or had your account hacked and miles stolen, we would love to hear from you!