How to Safeguard Yourself Against Data Breaches in Loyalty Programs

In recent years, the reality of cybersecurity challenges has become evident for many companies, and loyalty programs are no exception. High-profile breaches affecting Marriott Bonvoy and IHG One Rewards have compromised the data of millions, while the Equifax breach in 2017 put countless Americans at risk of identity theft. Recently, Clint Henderson, a managing editor at TPG, experienced a hacking incident where over 300,000 miles were stolen from his AAdvantage account.

Given the susceptibility of loyalty programs, it's crucial to protect your personal information from being exposed. But how can you effectively achieve this?

TPG consulted Bahman Hayat, a cybersecurity expert with a background at IBM and Microsoft, for insights on how to safeguard our data against hackers. Hayat emphasized that data breaches are increasingly frequent due to inadequate cybersecurity practices and occasional oversight.

"Data breaches can occur in numerous ways, including unsecured storage systems and databases, social engineering targeting authorized users, and simple human mistakes," Hayat stated. "At this stage, we should operate under the assumption that our data has already been compromised and prepare for future incidents."

While sharing our personal information carries certain risks, participating in a rewards program is often unavoidable. So, what measures can we take to safeguard ourselves against future data breaches? Here are some straightforward steps you can implement.

Refrain from sharing sensitive information unless absolutely necessary

The initial step in securing your account is to minimize the sharing of sensitive information from the outset.

"Whenever you're required to provide personally identifiable information to a service, take a moment to reconsider its necessity," Hayat advised. "The less we share, the fewer opportunities there are for us to be impacted by a breach."

Details like your date of birth, passport number, and even your address can expose you to risks, so it's best to avoid sharing them when possible. If you must provide this information, using a site that offers two-factor authentication reduces your risk. If the program doesn't provide this feature, Hayat suggests contacting them to request its implementation.

Implement two-factor authentication

Activating two-factor authentication on your loyalty account is a simple yet essential step to bolster your online security.

Two-factor authentication enhances security by requiring two forms of verification before granting access. This usually consists of something you know (like a password) and something you possess (like a smartphone app that generates a temporary code or sends a push notification) or biometrics such as fingerprints or facial recognition. This dual verification process makes it significantly more difficult for unauthorized users to gain access, as they would need both your password and the second verification factor.

In addition, two-factor authentication sends an instant notification if there's an attempt to access your account, enabling you to take immediate action to secure it. This proactive strategy is essential for preventing unauthorized transactions and protecting your points and miles.

As an Amazon user, you're likely familiar with setting up two-factor authentication and receiving text messages with verification codes when logging into your account. This protects your information from potential hackers who might compromise your password and make unauthorized purchases. You might think, "That's foolish. They'd have to give their home address for delivery, which would expose them."

Hackers may have various reasons for wanting access to your Amazon account, including a scam known as 'brushing,' where they send low-quality products to customers who didn't order them, subsequently posting fake reviews to boost their visibility in the online marketplace.

Hayat suggests that multifactor authentication can help avert situations like this. While Amazon employs text-based authentication, he cautions against relying on it.

"Text-based methods are susceptible to SIM swap attacks, where an attacker persuades your carrier to switch your number to their SIM card," he explained. "If you must use text-based authentication, be sure to set up a PIN with your carrier. I recommend using Microsoft Authenticator or Google Authenticator, and for added security, consider using YubiKey."

Confirm whether your data has been compromised

Hayat also advises checking Have I Been Pwned regularly to see if your information has been exposed in a data breach. If you discover that your account has been breached, promptly change your passwords and consider using a password manager along with multifactor authentication.

Employ a password manager

Confession: Previously, I stored all my rewards program passwords in a document on my laptop. If someone had accessed that file, my entire information could have been compromised. Experts suggest creating distinct passwords for every account, but this can be quite challenging if you rely on a computer or paper for storage.

Hayat suggests using a password manager as a safe way to keep all your login information centralized.

"This ensures you have a robust and unique password for each service, so if one gets compromised, the attacker won't be able to access your accounts on other platforms. This strategy guards against what's known as 'credential stuffing,'" Hayat explained.

"Credential stuffing occurs when an attacker takes leaked credentials to illegally access user accounts on different services," Hayat elaborated. "For instance, if you use the same password for both websites A and B, and website A experiences a breach, an attacker could use those credentials to access website B. By employing unique passwords, you can defend against this type of attack," he noted.

Hayat recommends 1Password as an excellent, trustworthy, and secure option for password management.

Keep an eye on your credit

Whether you choose to invest in a credit monitoring service or simply check your score from time to time, Hayat advises reviewing your credit report at least once a year to spot any inaccuracies. If a hacker runs up charges on your credit card in your name, it will be reflected in your report. You can even obtain free credit monitoring through Experian, which will alert you whenever a new account is opened or your credit score changes.

Hayat suggests freezing your credit and temporarily lifting the freeze when you're ready to open a new account for added security. A credit freeze blocks anyone from accessing your credit information or opening new accounts. If your information has been compromised, this is one of the best ways to shield yourself from further harm.

Urge loyalty programs to prioritize security

Given the surge in data breaches, it's clear that companies are not implementing the essential measures to safeguard our data.

"Many companies today fail to invest adequately in their cybersecurity," Hayat shared with TPG. "We repeatedly observe that leaked passwords are not properly hashed and salted, or that outdated hashing methods like MD5 are employed, which can be easily cracked. Consequently, it is essential for us as users to take proactive measures to safeguard ourselves in the event of a breach."

Hayat advises reaching out to loyalty programs and banks that have not adopted two-factor authentication, urging them to implement it. Ultimately, we are responsible for our data, and when we share it with a third party like a loyalty program, we need to ensure its protection.

How is your loyalty program safeguarding you against breaches?

A wave of recent data breaches has prompted various airline and hotel loyalty programs to mandate two-factor authentication as a necessary step for account access. Although this may be inconvenient for frequent users, it's far better to prioritize safety. Here’s how leading loyalty programs are addressing data security:

Airline programs

• American Airlines AAdvantage: Two-factor authentication available via email (optional)
• Delta SkyMiles: No two-factor authentication offered
• Frontier Miles: Two-factor authentication available (optional)
• JetBlue TrueBlue: Two-factor authentication required by email, with an option to switch to a more secure text-based method
• United MileagePlus: Testing two-factor authentication on a selective basis
• Southwest Rapid Rewards: Two-factor authentication not available
• Free Spirit: Two-factor authentication not available
• Air Canada Aeroplan: Two-factor authentication required via email
• Air France-KLM Flying Blue: Two-factor authentication required via email
• British Airways Executive Club: Two-factor authentication available via email (optional)
• Qatar Airways Privilege Club: Two-factor authentication required via email
• Singapore Airlines KrisFlyer: Two-factor authentication optional for flight bookings; mandatory for changes to KrisFlyer accounts

Hotel programs

• Hilton Honors: Two-factor authentication required by email for specific actions, such as logging in from a new device
• Marriott Bonvoy: Two-factor authentication available via email or phone (optional)
• IHG One Rewards: Two-factor authentication not available
• Radisson Rewards: Two-factor authentication not available
• World of Hyatt: Two-factor authentication not available

Final thoughts

As technology evolves, it's no surprise that cybercriminals are increasingly targeting our data. Loyalty programs store sensitive personal details along with potentially valuable points and miles, making it essential to safeguard your accounts.

By following the advice shared in this article, you can reduce potential risks and take proactive steps to safeguard yourself from further identity theft.