Skip to content

How to protect yourself against reward program data breaches

Sept. 19, 2020
9 min read
woman sits on couch while using laptop
This post contains references to products from one or more of our advertisers. We may receive compensation when you click on links to those products. Terms apply to the offers listed on this page. For an explanation of our Advertising Policy, visit this page.

In recent years, it’s become clear that cybersecurity is an issue many companies continue to struggle with. Unfortunately, that extends to the world of loyalty programs. In the last two years alone, both Marriott and IHG Rewards Club have been subject to data breaches that affected millions of consumers. Capital One was compromised last year and the Equifax hack of 2017 left millions of Americans vulnerable to identity theft. Even Panera Bread experienced a data breach in 2018 that impacted 37 million customers.

With loyalty programs being vulnerable targets, it’s more important than ever to protect your information from being exposed. So how do you go about doing that?

I reached out to Bahman Hayat, a software engineer specializing in cybersecurity, for advice on keeping our data safe from hackers. According to Hayat, data hacks are becoming more common due to poor cybersecurity and sometimes negligence. “There are many ways data breaches happen, from storage buckets and databases being left unsecured on the internet to social engineering attacks against authorized users to simple human errors.”

“At this point, we should assume that we have already been affected and we should expect to be affected again in the future.”

While giving out our information exposes us to risk, joining a reward program isn’t something we can simply bypass. So what can we do to protect ourselves against future data breaches? Here are six simple steps you can take today.

For more TPG news delivered each morning to your inbox, sign up for our daily newsletter.

Avoid giving out sensitive information unless absolutely necessary

The first step to protecting your account is to avoid giving out sensitive information in the first place. “Any time you have to give your personally identifiable information to a service,” said Hayat, “think twice about whether it’s necessary. The less we give out, the fewer chances of us being affected by a breach.”

Your date of birth, passport number and even address can put you at risk, so avoid giving these out, if possible. If you absolutely need to hand over this information, there is less risk if the website offers two-factor authentication. If the program doesn’t, then Hayat recommends reaching out and requesting that they start offering it.

Related: How to prevent credit card fraud

Sign up for our daily newsletter

Use multi-factor authentication

If you’re an Amazon customer, you’ve probably set up two-factor authentication and are used to receiving text messages with verification codes when you attempt to log in to your account. This keeps your information safe from potential hackers who may get a hold of your password and charge things to your Amazon account. You might think, “That’s not smart. They would have to provide their home address for those orders. They would get caught.”

Well, about eight years ago, my friend’s home was burglarized while she was away on vacation. Not only did the thieves swipe all her electronics, but they also accessed all her login information that she kept on her laptop. They proceeded to order thousands of dollars in merchandise from Amazon with her credit card. She had a name and mailing address but when she reported it to the police, they told her to dispute the charge with her credit card company because they simply did not have the budget to pursue theft cases. She had the thief’s name and home address and yet they couldn’t investigate. The lack of repercussions likely did nothing to deter this particular thief from continuing on their crime spree.

According to Hayat, multi-factor authentication can help prevent scenarios like this one. While Amazon uses text-based authentication, Hayat advises against it. “Those are vulnerable to sim swap attacks, where an attacker can convince your carrier to transfer your phone number to their sim. If you must use text-based authentication, I suggest you call your carrier and set up a PIN with them. I recommend using Microsoft Authenticator or Google Authenticator. If you want to take it a step further, use YubiKey.”

Check if your data has been compromised

Hayat also recommends that you regularly check Have I Been Pawned to see whether your information has been leaked due to a data breach. If your account has already been compromised, the best thing to do is immediately change your passwords, start using a password manager and multi-factor authentication.

Related: You are most likely to be hacked in these U.S. airports

Use a password manager

Confession: In the past, I kept all my reward program passwords in a document on my laptop. If anyone had gained access to that document, all my information would have been compromised. Experts recommend creating unique passwords for each account, but that’s incredibly tough to manage if storing them all on a computer or paper file isn’t an option.

Hayat recommends a password manager as a secure way to store all your login credentials in one place. “That way, you will have a strong and unique password for every service and if one of them gets leaked, the attacker won’t be able to use that on other services. This will protect you against something called credential stuffing.

Credential stuffing is where an attacker uses leaked credentials to gain unauthorized access to user accounts on other services. For example, if you use the same password on website A and B, if website A’s data gets breached, an attacker could use that to log into website B. By using unique passwords, you will be protected against such an attack.”

Hayat recommends 1Password as a great option that is reputable and secure.

Monitor your credit

Whether you invest in a credit monitoring service or check your score occasionally, Hayat recommends check your credit report annually to ensure there are no discrepancies. If a hacker maxes out your credit card in your name, you’ll see it on your credit report. You can even get free credit monitoring through Experian and receive notifications when a new account is opened or your credit score changes.

For more peace of mind, Hayat recommends freezing your credit and lifting it temporarily before opening a new account. A credit freeze will prevent anyone from accessing your credit information or opening a new account. If your data has been leaked, a credit freeze is the best way to protect yourself against further damage.

Related: 6 things to do to improve your credit in 2020

Petition loyalty programs to get serious about security

With all the recent data breaches, it’s become apparent that companies are not taking the necessary precautions to keep our data safe. “There are many companies today that don’t make the necessary investments in their cybersecurity. We see time and time again that leaked passwords are not hashed and salted or weak hashing like MD5 is used, which can be easily cracked. Therefore, as users, we must take the necessary steps, so we are protected in the event of a breach.”

Hayat recommends reaching out to loyalty programs and banks that haven’t implemented two-factor authentication and requesting that they do. After all, we’re responsible for our data and if we’re handing it over to a third party like a loyalty program, we should ensure that it remains safe.

Bottom line

I’ve personally experienced two loyalty program hacks. In 2013, my Club Carlson (now Radisson Rewards) account was compromised and hackers redeemed my points for gift cards. The latter part of that story is perhaps what bothered me the most because Club Carlson quickly refunded the points and it hasn’t happened since.

The second time, I received flight confirmation emails from JetBlue for trips I had not booked. Someone had hacked into my JetBlue pool and redeemed almost 70,000 points for two round-trip transcontinental flights. I eventually got back into my account, kicked the perpetrator out of my family pool and got my points back

Chances are, you’ve had your own brush with a data breach you may not even be aware of. Follow the tips outlined in this story to minimize potential damage and protect yourself against further identity theft.

Bahman Hayat is a software engineer who has an interest in cybersecurity. Bahman is listed on the AT&T Bug Bounty Program Hall of Fame and has received a Security Researcher Acknowledgement from Microsoft for responsibly disclosing security vulnerabilities. You can learn more about data security and follow Bahman’s travel adventures on Instagram.

Featured image by JOHNER IMAGES/GETTY IMAGES

Top offers from our partners

How we chose these cards

Our points-obsessed staff uses a plethora of credit cards on a daily basis. If anyone on our team wouldn’t recommend it to a friend or a family member, we wouldn’t recommend it on The Points Guy either. Our opinions are our own, and have not been reviewed, approved, or endorsed by our advertising partners.
See all best card offers

TPG featured card

Best card for premium perks while traveling
TPG Editor‘s Rating
Card Rating is based on the opinion of TPG‘s editors and is not influenced by the card issuer.
4 / 5
Go to review

Rewards

2 - 10X points
10XEarn unlimited 10X miles on hotels and rental cars booked through Capital One Travel
5X5X miles on flights booked through Capital One Travel.
2X2 Miles per dollar on every purchase, every day

Intro offer

75,000 bonus miles
Earn 75,000 bonus miles when you spend $4,000 on purchases in the first 3 months from account opening, equal to $750 in travel

Annual Fee

$395

Recommended Credit

740-850
Excellent
Credit ranges are a variation of FICO© Score 8, one of many types of credit scores lenders may use when considering your credit card application.

Why We Chose It

The Capital One Venture X card is one of the best all-round travel credit cards ever launched. Not only is it offering a tremendous welcome bonus, but cardholders can earn tons of miles on everyday spending and receive a 10,000-mile anniversary bonus to boot. Its annual fee is $395, but cardholders can count on up to $300 in statement credits toward travel booked through Capital One Travel each year and other valuable benefits like access to Priority Pass lounges and Capital One’s own growing family of airport lounges.

Pros

  • Excellent welcome offer worth 75,000 miles after you spend $4,000 on purchases in the first three months.
  • Up to $300 in annual travel statement credits toward bookings make through Capital One Travel.
  • 10,000 bonus miles (worth $100 toward travel) each account anniversary.

Cons

  • The $395 annual fee might be expensive for some, but this card’s benefits provide much more value than that.
  • If you don’t travel frequently, this might not be the best card for you.
  • Earn 75,000 bonus miles when you spend $4,000 on purchases in the first 3 months from account opening, equal to $750 in travel
  • Receive up to $300 back annually as statement credits for bookings through Capital One Travel, where you'll get Capital One's best prices on thousands of options
  • Get 10,000 bonus miles (equal to $100 towards travel) every year, starting on your first anniversary
  • Earn unlimited 10X miles on hotels and rental cars booked through Capital One Travel and 5X miles on flights booked through Capital One Travel
  • Earn unlimited 2X miles on all other purchases
  • Unlimited complimentary access for you and two guests to 1,400+ lounges, including Capital One Lounges and our Partner Lounge Network
  • Receive up to a $100 credit for Global Entry or TSA PreCheck®
  • Use your Venture X miles to easily cover travel expenses, including flights, hotels, rental cars and more—you can even transfer your miles to your choice of 15+ travel loyalty programs
  • Named editors' choice for "Best New Credit Card of 2021" by The Points Guy
  • Earn 10 miles per dollar when you book on Turo, the world's largest car sharing marketplace, through May 16, 2023
Best card for premium perks while traveling
TPG Editor‘s Rating
Card Rating is based on the opinion of TPG‘s editors and is not influenced by the card issuer.
4 / 5
Go to review

Rewards Rate

10XEarn unlimited 10X miles on hotels and rental cars booked through Capital One Travel
5X5X miles on flights booked through Capital One Travel.
2X2 Miles per dollar on every purchase, every day
  • Intro Offer
    Earn 75,000 bonus miles when you spend $4,000 on purchases in the first 3 months from account opening, equal to $750 in travel

    75,000 bonus miles
  • Annual Fee

    $395
  • Recommended Credit
    Credit ranges are a variation of FICO© Score 8, one of many types of credit scores lenders may use when considering your credit card application.

    740-850
    Excellent

Why We Chose It

The Capital One Venture X card is one of the best all-round travel credit cards ever launched. Not only is it offering a tremendous welcome bonus, but cardholders can earn tons of miles on everyday spending and receive a 10,000-mile anniversary bonus to boot. Its annual fee is $395, but cardholders can count on up to $300 in statement credits toward travel booked through Capital One Travel each year and other valuable benefits like access to Priority Pass lounges and Capital One’s own growing family of airport lounges.

Pros

  • Excellent welcome offer worth 75,000 miles after you spend $4,000 on purchases in the first three months.
  • Up to $300 in annual travel statement credits toward bookings make through Capital One Travel.
  • 10,000 bonus miles (worth $100 toward travel) each account anniversary.

Cons

  • The $395 annual fee might be expensive for some, but this card’s benefits provide much more value than that.
  • If you don’t travel frequently, this might not be the best card for you.
  • Earn 75,000 bonus miles when you spend $4,000 on purchases in the first 3 months from account opening, equal to $750 in travel
  • Receive up to $300 back annually as statement credits for bookings through Capital One Travel, where you'll get Capital One's best prices on thousands of options
  • Get 10,000 bonus miles (equal to $100 towards travel) every year, starting on your first anniversary
  • Earn unlimited 10X miles on hotels and rental cars booked through Capital One Travel and 5X miles on flights booked through Capital One Travel
  • Earn unlimited 2X miles on all other purchases
  • Unlimited complimentary access for you and two guests to 1,400+ lounges, including Capital One Lounges and our Partner Lounge Network
  • Receive up to a $100 credit for Global Entry or TSA PreCheck®
  • Use your Venture X miles to easily cover travel expenses, including flights, hotels, rental cars and more—you can even transfer your miles to your choice of 15+ travel loyalty programs
  • Named editors' choice for "Best New Credit Card of 2021" by The Points Guy
  • Earn 10 miles per dollar when you book on Turo, the world's largest car sharing marketplace, through May 16, 2023