How to protect yourself against reward program data breaches

Sep 19, 2020

This post contains references to products from one or more of our advertisers. We may receive compensation when you click on links to those products. Terms apply to the offers listed on this page. For an explanation of our Advertising Policy, visit this page.

In recent years, it’s become clear that cybersecurity is an issue many companies continue to struggle with. Unfortunately, that extends to the world of loyalty programs. In the last two years alone, both Marriott and IHG Rewards Club have been subject to data breaches that affected millions of consumers. Capital One was compromised last year and the Equifax hack of 2017 left millions of Americans vulnerable to identity theft. Even Panera Bread experienced a data breach in 2018 that impacted 37 million customers. 

With loyalty programs being vulnerable targets, it’s more important than ever to protect your information from being exposed. So how do you go about doing that?

I reached out to Bahman Hayat, a software engineer specializing in cybersecurity, for advice on keeping our data safe from hackers. According to Hayat, data hacks are becoming more common due to poor cybersecurity and sometimes negligence. “There are many ways data breaches happen, from storage buckets and databases being left unsecured on the internet to social engineering attacks against authorized users to simple human errors.”

“At this point, we should assume that we have already been affected and we should expect to be affected again in the future.” 

While giving out our information exposes us to risk, joining a reward program isn’t something we can simply bypass. So what can we do to protect ourselves against future data breaches? Here are six simple steps you can take today.

For more TPG news delivered each morning to your inbox, sign up for our daily newsletter.

Avoid giving out sensitive information unless absolutely necessary

The first step to protecting your account is to avoid giving out sensitive information in the first place. “Any time you have to give your personally identifiable information to a service,” said Hayat, “think twice about whether it’s necessary. The less we give out, the fewer chances of us being affected by a breach.”

Your date of birth, passport number and even address can put you at risk, so avoid giving these out, if possible. If you absolutely need to hand over this information, there is less risk if the website offers two-factor authentication. If the program doesn’t, then Hayat recommends reaching out and requesting that they start offering it.

Related: How to prevent credit card fraud

Use multi-factor authentication

If you’re an Amazon customer, you’ve probably set up two-factor authentication and are used to receiving text messages with verification codes when you attempt to log in to your account. This keeps your information safe from potential hackers who may get a hold of your password and charge things to your Amazon account. You might think, “That’s not smart. They would have to provide their home address for those orders. They would get caught.”

Well, about eight years ago, my friend’s home was burglarized while she was away on vacation. Not only did the thieves swipe all her electronics, but they also accessed all her login information that she kept on her laptop. They proceeded to order thousands of dollars in merchandise from Amazon with her credit card. She had a name and mailing address but when she reported it to the police, they told her to dispute the charge with her credit card company because they simply did not have the budget to pursue theft cases. She had the thief’s name and home address and yet they couldn’t investigate. The lack of repercussions likely did nothing to deter this particular thief from continuing on their crime spree.

According to Hayat, multi-factor authentication can help prevent scenarios like this one. While Amazon uses text-based authentication, Hayat advises against it. “Those are vulnerable to sim swap attacks, where an attacker can convince your carrier to transfer your phone number to their sim. If you must use text-based authentication, I suggest you call your carrier and set up a PIN with them. I recommend using Microsoft Authenticator or Google Authenticator. If you want to take it a step further, use YubiKey.”

Check if your data has been compromised

Hayat also recommends that you regularly check Have I Been Pawned to see whether your information has been leaked due to a data breach. If your account has already been compromised, the best thing to do is immediately change your passwords, start using a password manager and multi-factor authentication. 

Related: You are most likely to be hacked in these U.S. airports

Use a password manager

Confession: In the past, I kept all my reward program passwords in a document on my laptop. If anyone had gained access to that document, all my information would have been compromised. Experts recommend creating unique passwords for each account, but that’s incredibly tough to manage if storing them all on a computer or paper file isn’t an option.

Hayat recommends a password manager as a secure way to store all your login credentials in one place. “That way, you will have a strong and unique password for every service and if one of them gets leaked, the attacker won’t be able to use that on other services. This will protect you against something called credential stuffing.

Credential stuffing is where an attacker uses leaked credentials to gain unauthorized access to user accounts on other services. For example, if you use the same password on website A and B, if website A’s data gets breached, an attacker could use that to log into website B. By using unique passwords, you will be protected against such an attack.” 

Hayat recommends 1Password as a great option that is reputable and secure.

Monitor your credit

Whether you invest in a credit monitoring service or check your score occasionally, Hayat recommends check your credit report annually to ensure there are no discrepancies. If a hacker maxes out your credit card in your name, you’ll see it on your credit report. You can even get free credit monitoring through Experian and receive notifications when a new account is opened or your credit score changes.

For more peace of mind, Hayat recommends freezing your credit and lifting it temporarily before opening a new account. A credit freeze will prevent anyone from accessing your credit information or opening a new account. If your data has been leaked, a credit freeze is the best way to protect yourself against further damage.

Related: 6 things to do to improve your credit in 2020

Petition loyalty programs to get serious about security

With all the recent data breaches, it’s become apparent that companies are not taking the necessary precautions to keep our data safe. “There are many companies today that don’t make the necessary investments in their cybersecurity. We see time and time again that leaked passwords are not hashed and salted or weak hashing like MD5 is used, which can be easily cracked. Therefore, as users, we must take the necessary steps, so we are protected in the event of a breach.”

Hayat recommends reaching out to loyalty programs and banks that haven’t implemented two-factor authentication and requesting that they do. After all, we’re responsible for our data and if we’re handing it over to a third party like a loyalty program, we should ensure that it remains safe.

Bottom line

I’ve personally experienced two loyalty program hacks. In 2013, my Club Carlson (now Radisson Rewards) account was compromised and hackers redeemed my points for gift cards. The latter part of that story is perhaps what bothered me the most because Club Carlson quickly refunded the points and it hasn’t happened since. 

The second time, I received flight confirmation emails from JetBlue for trips I had not booked. Someone had hacked into my JetBlue pool and redeemed almost 70,000 points for two round-trip transcontinental flights. I eventually got back into my account, kicked the perpetrator out of my family pool and got my points back

Chances are, you’ve had your own brush with a data breach you may not even be aware of. Follow the tips outlined in this story to minimize potential damage and protect yourself against further identity theft. 

Bahman Hayat is a software engineer who has an interest in cybersecurity. Bahman is listed on the AT&T Bug Bounty Program Hall of Fame and has received a Security Researcher Acknowledgement from Microsoft for responsibly disclosing security vulnerabilities. You can learn more about data security and follow Bahman’s travel adventures on Instagram.

 

The All-New United Quest℠ Card

WELCOME OFFER: Up to 100,000 bonus miles

TPG'S BONUS VALUATION*: $1,040

CARD HIGHLIGHTS: 3X miles on United® purchases

*Bonus value is an estimated value calculated by TPG and not the card issuer. View our latest valuations here.

Apply Now
More Things to Know
  • Earn 80K bonus miles after you spend $5,000 on purchases in the first 3 months your account is open. Plus, an additional 20K bonus miles after you spend $10,000 in the first 6 months
  • $250 Annual Fee
  • Earn 3X miles on United® purchases, 2X miles at restaurants, on select streaming services & all other travel, 1X on all other purchases
  • Earn 3X miles on United Airlines purchases
  • Earn 2X miles at restaurants and on select streaming services
  • Earn 2X miles on all other travel
  • Earn 1X mile on all other purchases
  • Each year, receive a $125 credit on United® purchases and two 5k-mile anniversary award flight credits. Terms apply.
Regular APR
16.49% to 23.49% Variable
Annual Fee
$250
Balance Transfer Fee
Either $5 or 5% of the amount of each transfer, whichever is greater.
Recommended Credit
Excellent, Good

Editorial Disclaimer: Opinions expressed here are the author’s alone, not those of any bank, credit card issuer, airlines or hotel chain, and have not been reviewed, approved or otherwise endorsed by any of these entities.

Disclaimer: The responses below are not provided or commissioned by the bank advertiser. Responses have not been reviewed, approved or otherwise endorsed by the bank advertiser. It is not the bank advertiser’s responsibility to ensure all posts and/or questions are answered.