How to protect yourself against reward programme data breaches

Nov 1, 2020

This post contains references to products from one or more of our advertisers. We may receive compensation when you click on links to those products. Terms apply to the offers listed on this page. For an explanation of our Advertising Policy, visit this page.

In recent years, it’s become clear that cybersecurity is an issue many companies continue to struggle with. Unfortunately, that extends to the world of loyalty programmes. In the last two years alone, both Marriott and IHG Rewards Club have been subject to data breaches that affected millions of consumers. British Airways faced a £183 million fine for its 2018 data breach.

With loyalty programmes being vulnerable targets, it’s more important than ever to protect your information from being exposed. So how do you go about doing that?

I reached out to Bahman Hayat, a software engineer specializing in cybersecurity, for advice on keeping our data safe from hackers. According to Hayat, data hacks are becoming more common due to poor cybersecurity and sometimes negligence. “There are many ways data breaches happen, from storage buckets and databases being left unsecured on the internet to social engineering attacks against authorised users to simple human errors.”

“At this point, we should assume that we have already been affected and we should expect to be affected again in the future.”

While giving out our information exposes us to risk, joining a reward programme isn’t something we can simply bypass. So what can we do to protect ourselves against future data breaches? Here are six simple steps you can take today.

For more TPG news delivered each morning to your inbox, sign up for our daily newsletter.

Avoid giving out sensitive information unless absolutely necessary

The first step to protecting your account is to avoid giving out sensitive information in the first place. “Any time you have to give your personally identifiable information to a service,” said Hayat, “think twice about whether it’s necessary. The less we give out, the fewer chances of us being affected by a breach.”

Your date of birth, passport number and even address can put you at risk, so avoid giving these out, if possible. If you absolutely need to hand over this information, there is less risk if the website offers two-factor authentication. If the programme doesn’t, then Hayat recommends reaching out and requesting that they start offering it.

Related: Simple steps to prevent credit card fraud

Use multi-factor authentication

If you’re an Amazon customer, you’ve probably set up two-factor authentication and are used to receiving text messages with verification codes when you attempt to log in to your account. This keeps your information safe from potential hackers who may get a hold of your password and charge things to your Amazon account. You might think, “That’s not smart. They would have to provide their home address for those orders. They would get caught.”

Well, about eight years ago, my friend’s home was burglarized while she was away on holiday. Not only did the thieves swipe all her electronics, but they also accessed all her login information that she kept on her laptop. They proceeded to order thousands of dollars in merchandise from Amazon with her credit card. She had a name and mailing address but when she reported it to the police, they told her to dispute the charge with her credit card company because they simply did not have the budget to pursue theft cases. She had the thief’s name and home address and yet they couldn’t investigate. The lack of repercussions likely did nothing to deter this particular thief from continuing on their crime spree.

According to Hayat, multi-factor authentication can help prevent scenarios like this one. While Amazon uses text-based authentication, Hayat advises against it. “Those are vulnerable to sim swap attacks, where an attacker can convince your carrier to transfer your phone number to their sim. If you must use text-based authentication, I suggest you call your carrier and set up a PIN with them. I recommend using Microsoft Authenticator or Google Authenticator. If you want to take it a step further, use YubiKey.”

Check if your data has been compromised

Hayat also recommends that you regularly check Have I Been Pawned to see whether your information has been leaked due to a data breach. If your account has already been compromised, the best thing to do is immediately change your passwords, start using a password manager and multi-factor authentication.

Use a password manager

Confession: In the past, I kept all my reward programme passwords in a document on my laptop. If anyone had gained access to that document, all my information would have been compromised. Experts recommend creating unique passwords for each account, but that’s incredibly tough to manage if storing them all on a computer or paper file isn’t an option.

Hayat recommends a password manager as a secure way to store all your login credentials in one place. “That way, you will have a strong and unique password for every service and if one of them gets leaked, the attacker won’t be able to use that on other services. This will protect you against something called credential stuffing.

Credential stuffing is where an attacker uses leaked credentials to gain unauthorised access to user accounts on other services. For example, if you use the same password on website A and B, if website A’s data gets breached, an attacker could use that to log into website B. By using unique passwords, you will be protected against such an attack.”

Hayat recommends 1Password as a great option that is reputable and secure.

Monitor your credit

Whether you invest in a credit monitoring service or check your score occasionally, Hayat recommends checking your credit report annually to ensure there are no discrepancies. If a hacker maxes out your credit card in your name, you’ll see it on your credit report. You can even get free credit monitoring through Experian and receive notifications when a new account is opened or your credit score changes.

For more peace of mind, Hayat recommends freezing your credit and lifting it temporarily before opening a new account. A credit freeze will prevent anyone from accessing your credit information or opening a new account. If your data has been leaked, a credit freeze is the best way to protect yourself against further damage.

Petition loyalty programmes to get serious about security

With all the recent data breaches, it’s become apparent that companies are not taking the necessary precautions to keep our data safe. “There are many companies today that don’t make the necessary investments in their cybersecurity. We see time and time again that leaked passwords are not hashed and salted or weak hashing like MD5 is used, which can be easily cracked. Therefore, as users, we must take the necessary steps, so we are protected in the event of a breach.”

Hayat recommends reaching out to loyalty programmes and banks that haven’t implemented two-factor authentication and requesting that they do. After all, we’re responsible for our data and if we’re handing it over to a third party like a loyalty programme, we should ensure that it remains safe.

Bottom line

I’ve personally experienced two loyalty programme hacks. In 2013, my Club Carlson (now Radisson Rewards) account was compromised and hackers redeemed my points for gift cards. The latter part of that story is perhaps what bothered me the most because Club Carlson quickly refunded the points and it hasn’t happened since.

The second time, I received flight confirmation emails from JetBlue for trips I had not booked. Someone had hacked into my JetBlue pool and redeemed almost 70,000 points for two round-trip transcontinental flights. I eventually got back into my account, kicked the perpetrator out of my family pool and got my points back

Chances are, you’ve had your own brush with a data breach you may not even be aware of. Follow the tips outlined in this story to minimize potential damage and protect yourself against further identity theft.

Bahman Hayat is a software engineer who has an interest in cybersecurity. Bahman is listed on the AT&T Bug Bounty Program Hall of Fame and has received a Security Researcher Acknowledgement from Microsoft for responsibly disclosing security vulnerabilities. You can learn more about data security and follow Bahman’s travel adventures on Instagram.

Editorial Disclaimer: Opinions expressed here are the author’s alone, not those of any bank, credit card issuer, airlines or hotel chain, and have not been reviewed, approved or otherwise endorsed by any of these entities.

Disclaimer: The responses below are not provided or commissioned by the bank advertiser. Responses have not been reviewed, approved or otherwise endorsed by the bank advertiser. It is not the bank advertiser’s responsibility to ensure all posts and/or questions are answered.