Skip to content

A Reminder that Hacking an Airline's Website is Illegal

May 12, 2016
2 min read
A Reminder that Hacking an Airline's Website is Illegal
This post contains references to products from one or more of our advertisers. We may receive compensation when you click on links to those products. Terms apply to the offers listed on this page. For an explanation of our Advertising Policy, visit this page.
Sign up for our daily newsletter

Last week, we reported that a man was sitting in a Florida jail awaiting trial for stealing American Airlines miles worth "more than $260,000," which he allegedly redeemed for hotels and rental cars. Knowing how easy it can be to rack up points and miles, it can be tempting to break the rules of frequent flyer programs, but breaking the law is a different matter entirely. So just like stealing someone else's miles is flat-out illegal, stealing travel certificates from an airline itself is just as much of a crime.

A Utah man, Ammon Cunningham, 28, was charged with felony computer crimes, theft, communications fraud and a pattern of unlawful activity — all of which are felony charges. According to United Airlines, Cunningham hacked the carrier's website between July 2012 and September 2012 and obtained PIN codes for the carrier's Electronic Travel Certificates. The ETCs had been given to United travelers but not yet redeemed. In all, Cunningham used 13 stolen PIN codes for personal travel and about 120 PIN codes for selling to others on sites like Craigslist.

You could earn up to a 100% bonus when you purchase United miles.
A man hacked into United's website, stealing PIN codes for Electronic Travel Certificates.

Not only did Cunningham commit a crime by stealing these PIN codes, using them for himself or selling them, but he also threatened United Airlines. In September 2012, he contacted the carrier under an alias, claiming he "found a massive hole in the website." He was willing to share with United what the hole was — if United gave him $10,000 and first-class tickets to any destination in the world for him and his family. United claims that the hacking by Cunningham cost it $58,123.

There's now a warrant for Cunningham's arrest with bail set at $50,000. This all happened before United's 'bug bounty' program. The program, which was introduced in 2015, rewards those who spot flaws or bugs in United's website with miles — there's a maximum payout of 1,000,000 miles for high-severity fixes. With new programs like this, United's hoping no one else is able to hack its system like Cunningham was able to do in 2012.


Top offers from our partners

How we chose these cards

Our points-obsessed staff uses a plethora of credit cards on a daily basis. If anyone on our team wouldn’t recommend it to a friend or a family member, we wouldn’t recommend it on The Points Guy either. Our opinions are our own, and have not been reviewed, approved, or endorsed by our advertising partners.
See all best card offers