A Reminder that Hacking an Airline’s Website is Illegal

May 12, 2016

This post contains references to products from one or more of our advertisers. We may receive compensation when you click on links to those products. Terms apply to the offers listed on this page. For an explanation of our Advertising Policy, visit this page.

Last week, we reported that a man was sitting in a Florida jail awaiting trial for stealing American Airlines miles worth “more than $260,000,” which he allegedly redeemed for hotels and rental cars. Knowing how easy it can be to rack up points and miles, it can be tempting to break the rules of frequent flyer programs, but breaking the law is a different matter entirely. So just like stealing someone else’s miles is flat-out illegal, stealing travel certificates from an airline itself is just as much of a crime.

A Utah man, Ammon Cunningham, 28, was charged with felony computer crimes, theft, communications fraud and a pattern of unlawful activity — all of which are felony charges. According to United Airlines, Cunningham hacked the carrier’s website between July 2012 and September 2012 and obtained PIN codes for the carrier’s Electronic Travel Certificates. The ETCs had been given to United travelers but not yet redeemed. In all, Cunningham used 13 stolen PIN codes for personal travel and about 120 PIN codes for selling to others on sites like Craigslist.

You could earn up to a 100% bonus when you purchase United miles.
A man hacked into United’s website, stealing PIN codes for Electronic Travel Certificates.

Not only did Cunningham commit a crime by stealing these PIN codes, using them for himself or selling them, but he also threatened United Airlines. In September 2012, he contacted the carrier under an alias, claiming he “found a massive hole in the United.com website.” He was willing to share with United what the hole was — if United gave him $10,000 and first-class tickets to any destination in the world for him and his family. United claims that the hacking by Cunningham cost it $58,123.

There’s now a warrant for Cunningham’s arrest with bail set at $50,000. This all happened before United’s ‘bug bounty’ program. The program, which was introduced in 2015, rewards those who spot flaws or bugs in United’s website with miles — there’s a maximum payout of 1,000,000 miles for high-severity fixes. With new programs like this, United’s hoping no one else is able to hack its system like Cunningham was able to do in 2012.


Editorial Disclaimer: Opinions expressed here are the author’s alone, not those of any bank, credit card issuer, airlines or hotel chain, and have not been reviewed, approved or otherwise endorsed by any of these entities.

Disclaimer: The responses below are not provided or commissioned by the bank advertiser. Responses have not been reviewed, approved or otherwise endorsed by the bank advertiser. It is not the bank advertiser’s responsibility to ensure all posts and/or questions are answered.