How to protect yourself against rewards program data breaches

In recent years, it’s become clear that cybersecurity is an issue many companies struggle with. Unfortunately, that extends to the world of loyalty programs. Both Marriott Bonvoy and IHG One Rewards have been subjected to data breaches that affected millions of consumers, and the Equifax hack of 2017 left millions of Americans vulnerable to identity theft. Clint Henderson, a managing editor at TPG, recently had his AAdvantage account hacked and over 300,000 miles stolen.

With loyalty programs being vulnerable targets, protecting your information from exposure is more important than ever. So, how do you go about doing that?

TPG spoke to Bahman Hayat, a software engineer specializing in cybersecurity who has worked for IBM and Microsoft, for advice on keeping our data safe from hackers. According to Hayat, data hacks are becoming more common due to poor cybersecurity and sometimes negligence.

“There are many ways data breaches happen, from storage buckets and databases being left unsecured on the internet to social engineering attacks against authorized users to simple human errors,” Hayat said. “At this point, we should assume that we have already been affected and expect to be affected again."

While giving out our information exposes us to risk, joining a rewards program isn’t something we can bypass. So, what can we do to protect ourselves against future data breaches? Here are simple steps you can take.

Avoid giving out sensitive information unless necessary

The first step to protecting your account is to avoid giving out sensitive information in the first place.

“Any time you have to give your personally identifiable information to a service, think twice about whether it’s necessary," Hayat said. "The less we give out, the fewer chances of us being affected by a breach.”

Your date of birth, passport number and even address can put you at risk, so avoid giving these out if possible. If you need to hand over this information, there is less risk if the website offers two-factor authentication. If the program doesn’t, then Hayat recommends reaching out and requesting that it starts offering it.

Related: How to identify and prevent credit card fraud

Daily Newsletter

Reward your inbox with the TPG Daily newsletter

Join over 700,000 readers for breaking news, in-depth guides and exclusive deals from TPG’s experts

Email address

Sign up

By signing up, you will receive newsletters and promotional content and agree to our Terms of Use and acknowledge the data practices in our Privacy Policy. You may unsubscribe at any time.

Use two-factor authentication

Setting up two-factor authentication for your loyalty account is an easy but critical way to enhance your online security.

Two-factor authentication adds an extra layer of security by requiring two verification forms before granting access. Typically, this involves something you know (like a password) and something you have (such as a smartphone app that generates a temporary code or sends a push notification or an email) or using biometrics such as fingerprints or facial recognition. This dual requirement makes it much harder for unauthorized individuals to gain access, as they would need both your password and the second factor.

Additionally, two-factor authentication provides an immediate alert if someone attempts to access your account, allowing you to take swift action to secure it. This proactive approach is crucial in preventing unauthorized transactions or misuse of your points and miles.

If you’re an Amazon customer, you’ve probably set up two-factor authentication and are used to receiving text messages with verification codes when you attempt to log in to your account. This keeps your information safe from potential hackers who may access your password and charge things to your Amazon account. You might think, "That’s not smart. They would have to provide their home address for those orders. They would get caught."

A hacker might have various motivations for wanting access to your Amazon account, including a scam called "brushing," in which they send substandard products to customers who did not order them to then leave fake reviews of these products to increase their reach in the online marketplace.

According to Hayat, multifactor authentication can help prevent scenarios like this one. While Amazon uses text-based authentication, Hayat advises against it.

“Those are vulnerable to SIM swap attacks, where an attacker can convince your carrier to transfer your phone number to their SIM," he said. "If you must use text-based authentication, call your carrier and set up a PIN with them. I recommend using Microsoft Authenticator or Google Authenticator. If you want to take it a step further, use YubiKey.”

Related: Understanding 3D credit card security and how it could affect your trips to other countries

Check if your data has been compromised

Hayat also recommends that you regularly check Have I Been Pwned to see whether your information has been leaked due to a data breach. If your account has already been compromised, the best thing to do is immediately change your passwords and start using a password manager and multifactor authentication.

Use a password manager

Confession: In the past, I kept all my rewards program passwords in a document on my laptop. If anyone had accessed that document, all my information would have been compromised. Experts recommend creating unique passwords for each account, but that’s incredibly tough to manage if storing them all on a computer or paper file isn’t an option.

Hayat recommends a password manager as a secure way to store all your login credentials in one place.

“That way, you will have a strong and unique password for every service and if one of them gets leaked, the attacker won’t be able to use that on other services. This will protect you against something called 'credential stuffing,'" Hayat said.

"Credential stuffing is where an attacker uses leaked credentials to gain unauthorized access to user accounts on other services," Hayat continued. "For example, if you use the same password on websites A and B, if website A’s data gets breached, an attacker could use that to log into website B. Using unique passwords will protect you against such an attack.”

Hayat recommends 1Password as a great option that is reputable and secure.

Related: Why a password manager is a critical part of my points and miles strategy

Monitor your credit

Whether you invest in a credit monitoring service or check your score occasionally, Hayat recommends checking your credit report annually to ensure there are no discrepancies. If a hacker maxes out your credit card in your name, you’ll see it on your credit report. You can even get free credit monitoring through Experian and receive notifications when a new account is opened or your credit score changes.

Hayat recommends freezing your credit and then lifting the freeze temporarily before opening a new account for more peace of mind. A credit freeze will prevent anyone from accessing your credit information or opening a new account. If your data has been leaked, a credit freeze is the best way to protect yourself against further damage.

Related: 6 things to do to improve your credit score

Petition loyalty programs to get serious about security

With all the recent data breaches, it’s become apparent that companies are not taking the necessary precautions to keep our data safe.

“Many companies today don’t make the necessary investments in their cybersecurity," Hayat told TPG. "We see repeatedly that leaked passwords are not hashed and salted or weak hashing like MD5 is used, which can be easily cracked. Therefore, as users, we must take the necessary steps so we are protected in the event of a breach."

Hayat recommends contacting loyalty programs and banks that haven’t implemented two-factor authentication and requesting that they do. After all, we’re responsible for our data, and if we’re handing it over to a third party like a loyalty program, we should ensure that it remains safe.

How is your loyalty program protecting you against a breach?

A spate of recent data breaches has led to various airline and hotel loyalty programs requiring two-factor authentication as a compulsory step when logging into an account. While this can be frustrating for anyone who logs into an account regularly, it's better to be safe than sorry. Here is how major loyalty programs are combatting data breaches:

Airline programs

• American Airlines AAdvantage: Optional two-factor authentication by email
• Delta SkyMiles: No two-factor authentication option
• Frontier Miles: Optional two-factor authentication
• JetBlue TrueBlue: Compulsory two-factor authentication by email with the option to change to a more secure text message two-factor authentication
• United MileagePlus: Rolling out selective testing of two-factor authentication
• Southwest Rapid Rewards: No two-factor authentication option
• Free Spirit: No two-factor authentication option
• Air Canada Aeroplan: Compulsory two-factor authentication by email
• Air France-KLM Flying Blue: Compulsory two-factor authentication by email
• British Airways Executive Club: Optional two-factor authentication by email
• Qatar Airways Privilege Club: Compulsory two-factor authentication by email
• Singapore Airlines KrisFlyer: Optional two-factor authentication for flight bookings; mandatory two-factor authentication for changes to KrisFlyer accounts

Hotel programs

• Hilton Honors: Compulsory two-factor authentication by email for only limited activities, such as logging on using a new device
• Marriott Bonvoy: Optional two-factor authentication for email or phone verification
• IHG One Rewards: No two-factor authentication option
• Radisson Rewards: No two-factor authentication option
• World of Hyatt: No two-factor authentication option

Related: Why small charges on your credit card could mean big problems

Bottom line

With technology continuing to advance, it's no surprise that hackers are targeting our information. Since loyalty programs contain personal information as well as potentially hundreds of thousands of points or miles, keeping your account safe is pivotal.

Follow the tips outlined in this story to minimize potential damage and help protect yourself against further identity theft.