Chase Sapphire Reserve℠

A Reminder that Hacking an Airline’s Website is Illegal

This post contains references to products from one or more of our advertisers. We may receive compensation when you click on links to those products. For an explanation of our Advertising Policy, visit this page.

Last week, we reported that a man was sitting in a Florida jail awaiting trial for stealing American Airlines miles worth “more than $260,000,” which he allegedly redeemed for hotels and rental cars. Knowing how easy it can be to rack up points and miles, it can be tempting to break the rules of frequent flyer programs, but breaking the law is a different matter entirely. So just like stealing someone else’s miles is flat-out illegal, stealing travel certificates from an airline itself is just as much of a crime.

A Utah man, Ammon Cunningham, 28, was charged with felony computer crimes, theft, communications fraud and a pattern of unlawful activity — all of which are felony charges. According to United Airlines, Cunningham hacked the carrier’s website between July 2012 and September 2012 and obtained PIN codes for the carrier’s Electronic Travel Certificates. The ETCs had been given to United travelers but not yet redeemed. In all, Cunningham used 13 stolen PIN codes for personal travel and about 120 PIN codes for selling to others on sites like Craigslist.

You could earn up to a 100% bonus when you purchase United miles.
A man hacked into United’s website, stealing PIN codes for Electronic Travel Certificates.

Not only did Cunningham commit a crime by stealing these PIN codes, using them for himself or selling them, but he also threatened United Airlines. In September 2012, he contacted the carrier under an alias, claiming he “found a massive hole in the United.com website.” He was willing to share with United what the hole was — if United gave him $10,000 and first-class tickets to any destination in the world for him and his family. United claims that the hacking by Cunningham cost it $58,123.

There’s now a warrant for Cunningham’s arrest with bail set at $50,000. This all happened before United’s ‘bug bounty’ program. The program, which was introduced in 2015, rewards those who spot flaws or bugs in United’s website with miles — there’s a maximum payout of 1,000,000 miles for high-severity fixes. With new programs like this, United’s hoping no one else is able to hack its system like Cunningham was able to do in 2012.

H/T: KUTV

Chase Sapphire Preferred® Card

Apply Now
  • Earn 50,000 bonus points after you spend $4,000 on purchases in the first 3 months from account opening. That's $625 toward travel when you redeem through Chase Ultimate Rewards®
  • Named Best Credit Card for Flexible Travel Redemption - Kiplinger's Personal Finance, July 2016
  • 2X points on travel and dining at restaurants worldwide & 1 point per dollar spent on all other purchases.
  • Earn 5,000 bonus points after you add the first authorized user and make a purchase in the first 3 months from account opening
  • No foreign transaction fees
  • 1:1 point transfer to leading airline and hotel loyalty programs
  • Get 25% more value when you redeem for airfare, hotels, car rentals and cruises through Chase Ultimate Rewards. For example, 50,000 points are worth $625 toward travel
  • No blackout dates or travel restrictions - as long as there's a seat on the flight, you can book it through Chase Ultimate Rewards
Intro APR Regular APR Annual Fee Foreign Transaction Fee Credit Rating
N/A 16.24%-23.24% Variable Introductory Annual Fee of $0 the first year, then $95 0% Excellent Credit