How to protect yourself against rewards program data breaches
In recent years, it's become clear that cybersecurity is an issue many companies struggle with. Unfortunately, that extends to the world of loyalty programs. Both Marriott Bonvoy and IHG One Rewards have been subjected to data breaches that affected millions of consumers, and the Equifax hack of 2017 left millions of Americans vulnerable to identity theft. Clint Henderson, a managing editor at TPG, recently had his AAdvantage account hacked and over 300,000 miles stolen.
With loyalty programs being vulnerable targets, protecting your information from exposure is more important than ever. So, how do you go about doing that?
TPG spoke to Bahman Hayat, a software engineer specializing in cybersecurity who has worked for IBM and Microsoft, for advice on keeping our data safe from hackers. According to Hayat, data hacks are becoming more common due to poor cybersecurity and sometimes negligence.
"There are many ways data breaches happen, from storage buckets and databases being left unsecured on the internet to social engineering attacks against authorized users to simple human errors," Hayat said. "At this point, we should assume that we have already been affected and expect to be affected again."
While giving out our information exposes us to risk, joining a rewards program isn't something we can bypass. So, what can we do to protect ourselves against future data breaches? Here are simple steps you can take.
Avoid giving out sensitive information unless necessary
The first step to protecting your account is to avoid giving out sensitive information in the first place.
"Any time you have to give your personally identifiable information to a service, think twice about whether it's necessary," Hayat said. "The less we give out, the fewer chances of us being affected by a breach."
Your date of birth, passport number and even address can put you at risk, so avoid giving these out if possible. If you need to hand over this information, there is less risk if the website offers two-factor authentication. If the program doesn't, then Hayat recommends reaching out and requesting that it starts offering it.
Related: How to identify and prevent credit card fraud
Use two-factor authentication
Setting up two-factor authentication for your loyalty account is an easy but critical way to enhance your online security.
Two-factor authentication adds an extra layer of security by requiring two verification forms before granting access. Typically, this involves something you know (like a password) and something you have (such as a smartphone app that generates a temporary code or sends a push notification or an email) or using biometrics such as fingerprints or facial recognition. This dual requirement makes it much harder for unauthorized individuals to gain access, as they would need both your password and the second factor.
Additionally, two-factor authentication provides an immediate alert if someone attempts to access your account, allowing you to take swift action to secure it. This proactive approach is crucial in preventing unauthorized transactions or misuse of your points and miles.
If you're an Amazon customer, you've probably set up two-factor authentication and are used to receiving text messages with verification codes when you attempt to log in to your account. This keeps your information safe from potential hackers who may access your password and charge things to your Amazon account. You might think, "That's not smart. They would have to provide their home address for those orders. They would get caught."
A hacker might have various motivations for wanting access to your Amazon account, including a scam called "brushing," in which they send substandard products to customers who did not order them to then leave fake reviews of these products to increase their reach in the online marketplace.
According to Hayat, multifactor authentication can help prevent scenarios like this one. While Amazon uses text-based authentication, Hayat advises against it.
"Those are vulnerable to SIM swap attacks, where an attacker can convince your carrier to transfer your phone number to their SIM," he said. "If you must use text-based authentication, call your carrier and set up a PIN with them. I recommend using Microsoft Authenticator or Google Authenticator. If you want to take it a step further, use YubiKey."
Related: Understanding 3D credit card security and how it could affect your trips to other countries
Check if your data has been compromised
Hayat also recommends that you regularly check Have I Been Pwned to see whether your information has been leaked due to a data breach. If your account has already been compromised, the best thing to do is immediately change your passwords and start using a password manager and multifactor authentication.
Use a password manager
Confession: In the past, I kept all my rewards program passwords in a document on my laptop. If anyone had accessed that document, all my information would have been compromised. Experts recommend creating unique passwords for each account, but that's incredibly tough to manage if storing them all on a computer or paper file isn't an option.
Hayat recommends a password manager as a secure way to store all your login credentials in one place.
"That way, you will have a strong and unique password for every service and if one of them gets leaked, the attacker won't be able to use that on other services. This will protect you against something called 'credential stuffing,'" Hayat said.
"Credential stuffing is where an attacker uses leaked credentials to gain unauthorized access to user accounts on other services," Hayat continued. "For example, if you use the same password on websites A and B, if website A's data gets breached, an attacker could use that to log into website B. Using unique passwords will protect you against such an attack."
Hayat recommends 1Password as a great option that is reputable and secure.
Related: Why a password manager is a critical part of my points and miles strategy
Monitor your credit
Whether you invest in a credit monitoring service or check your score occasionally, Hayat recommends checking your credit report annually to ensure there are no discrepancies. If a hacker maxes out your credit card in your name, you'll see it on your credit report. You can even get free credit monitoring through Experian and receive notifications when a new account is opened or your credit score changes.
Hayat recommends freezing your credit and then lifting the freeze temporarily before opening a new account for more peace of mind. A credit freeze will prevent anyone from accessing your credit information or opening a new account. If your data has been leaked, a credit freeze is the best way to protect yourself against further damage.
Related: 6 things to do to improve your credit score
Petition loyalty programs to get serious about security
With all the recent data breaches, it's become apparent that companies are not taking the necessary precautions to keep our data safe.
"Many companies today don't make the necessary investments in their cybersecurity," Hayat told TPG. "We see repeatedly that leaked passwords are not hashed and salted or weak hashing like MD5 is used, which can be easily cracked. Therefore, as users, we must take the necessary steps so we are protected in the event of a breach."
Hayat recommends contacting loyalty programs and banks that haven't implemented two-factor authentication and requesting that they do. After all, we're responsible for our data, and if we're handing it over to a third party like a loyalty program, we should ensure that it remains safe.
How is your loyalty program protecting you against a breach?
A spate of recent data breaches has led to various airline and hotel loyalty programs requiring two-factor authentication as a compulsory step when logging into an account. While this can be frustrating for anyone who logs into an account regularly, it's better to be safe than sorry. Here is how major loyalty programs are combatting data breaches:
Airline programs
- American Airlines AAdvantage: Optional two-factor authentication by email
- Delta SkyMiles: No two-factor authentication option
- Frontier Miles: Optional two-factor authentication
- JetBlue TrueBlue: Compulsory two-factor authentication by email with the option to change to a more secure text message two-factor authentication
- United MileagePlus: Rolling out selective testing of two-factor authentication
- Southwest Rapid Rewards: No two-factor authentication option
- Free Spirit: No two-factor authentication option
- Air Canada Aeroplan: Compulsory two-factor authentication by email
- Air France-KLM Flying Blue: Compulsory two-factor authentication by email
- British Airways Executive Club: Optional two-factor authentication by email
- Qatar Airways Privilege Club: Compulsory two-factor authentication by email
- Singapore Airlines KrisFlyer: Optional two-factor authentication for flight bookings; mandatory two-factor authentication for changes to KrisFlyer accounts
Hotel programs
- Hilton Honors: Compulsory two-factor authentication by email for only limited activities, such as logging on using a new device
- Marriott Bonvoy: Optional two-factor authentication for email or phone verification
- IHG One Rewards: No two-factor authentication option
- Radisson Rewards: No two-factor authentication option
- World of Hyatt: No two-factor authentication option
Related: Why small charges on your credit card could mean big problems
Bottom line
With technology continuing to advance, it's no surprise that hackers are targeting our information. Since loyalty programs contain personal information as well as potentially hundreds of thousands of points or miles, keeping your account safe is pivotal.
Follow the tips outlined in this story to minimize potential damage and help protect yourself against further identity theft.
TPG featured card
Rewards
| 2X miles | 2 miles per dollar on every purchase |
| 5X miles | 5 miles per dollar on flights and vacation rentals booked through Capital One Business Travel |
| 10X miles | 10 miles per dollar on hotels and rental cars booked through Capital One Business Travel |
Intro offer
Annual Fee
Recommended Credit
Why We Chose It
The Capital One Venture X Business Card has all the Capital One Venture X Rewards Credit Card has to offer and more. It offers an incredible welcome bonus and requires an equally impressive spend to qualify. In addition, the card comes with premium travel perks like annual travel credit. (Partner offer)Pros
- The Capital One Venture X business card has a very lucrative welcome offer.
- In addition, the card comes with many premium travel perks such as an annual $300 credit for bookings through Capital One Business Travel.
- Business owners are also able to add employee cards for free.
Cons
- The card requires significant spending to earn the welcome offer.
- Another drawback is that the annual travel credit can only be used on bookings made through Capital One Business Travel.
- LIMITED-TIME OFFER: Earn up to 400K bonus miles: 200K miles when you spend $30K in the first 3 months, and an additional 200k miles when you spend $150k in the first 6 months
- Earn unlimited 2X miles on every purchase, everywhere—with no limits or category restrictions
- Earn 10X miles on hotels and rental cars and 5X miles on flights and vacation rentals booked through Capital One Business Travel
- With no preset spending limit, enjoy big purchasing power that adapts so you can spend more and earn more rewards
- Empower your teams to make business purchases while earning rewards on their transactions, with free employee and virtual cards. Plus, automatically sync your transaction data with your accounting software and pay your vendors with ease
- Redeem your miles on flights, hotels and more. Plus, transfer your miles to any of the 15+ travel loyalty programs
- Every year, you'll get 10,000 bonus miles after your account anniversary date. Plus, receive an annual $300 credit for bookings made through Capital One Business Travel
- Receive up to a $120 credit for Global Entry or TSA PreCheck®. Enjoy access to 1,300+ airport lounges worldwide, including Capital One Lounge locations and Priority Pass™ lounges, after enrollment
- Enjoy a $100 experience credit and other premium benefits with every hotel and vacation rental booked from the Premier Collection
- This is a pay-in-full card, so your balance is due in full every month
Rewards Rate
| 2X miles | 2 miles per dollar on every purchase |
| 5X miles | 5 miles per dollar on flights and vacation rentals booked through Capital One Business Travel |
| 10X miles | 10 miles per dollar on hotels and rental cars booked through Capital One Business Travel |
Intro Offer
Earn 200K miles when you spend $30K in the first 3 months, and an additional 200K miles when you spend $150K in the first 6 monthsLIMITED-TIME OFFER: Earn up to 400K bonus milesAnnual Fee
$395Recommended Credit
Credit ranges are a variation of FICO® Score 8, one of many types of credit scores lenders may use when considering your credit card application.740-850Excellent
Why We Chose It
The Capital One Venture X Business Card has all the Capital One Venture X Rewards Credit Card has to offer and more. It offers an incredible welcome bonus and requires an equally impressive spend to qualify. In addition, the card comes with premium travel perks like annual travel credit. (Partner offer)Pros
- The Capital One Venture X business card has a very lucrative welcome offer.
- In addition, the card comes with many premium travel perks such as an annual $300 credit for bookings through Capital One Business Travel.
- Business owners are also able to add employee cards for free.
Cons
- The card requires significant spending to earn the welcome offer.
- Another drawback is that the annual travel credit can only be used on bookings made through Capital One Business Travel.
- LIMITED-TIME OFFER: Earn up to 400K bonus miles: 200K miles when you spend $30K in the first 3 months, and an additional 200k miles when you spend $150k in the first 6 months
- Earn unlimited 2X miles on every purchase, everywhere—with no limits or category restrictions
- Earn 10X miles on hotels and rental cars and 5X miles on flights and vacation rentals booked through Capital One Business Travel
- With no preset spending limit, enjoy big purchasing power that adapts so you can spend more and earn more rewards
- Empower your teams to make business purchases while earning rewards on their transactions, with free employee and virtual cards. Plus, automatically sync your transaction data with your accounting software and pay your vendors with ease
- Redeem your miles on flights, hotels and more. Plus, transfer your miles to any of the 15+ travel loyalty programs
- Every year, you'll get 10,000 bonus miles after your account anniversary date. Plus, receive an annual $300 credit for bookings made through Capital One Business Travel
- Receive up to a $120 credit for Global Entry or TSA PreCheck®. Enjoy access to 1,300+ airport lounges worldwide, including Capital One Lounge locations and Priority Pass™ lounges, after enrollment
- Enjoy a $100 experience credit and other premium benefits with every hotel and vacation rental booked from the Premier Collection
- This is a pay-in-full card, so your balance is due in full every month