Why Your Airline Points and Miles Are Targeted by Hackers—and How to Safeguard Them

For countless travelers, airline miles and hotel points hold significant value—they serve as a form of currency for booking flights and accommodations globally.

However, many individuals may not consider the risk of their frequent flyer accounts being hacked. Experts recommend that travelers keep a close eye on their frequent flyer activity, just as they do with their bank and credit card accounts.

Kurt Long, founder of the cybersecurity firm Bunkr, notes that the theft of points and miles has surged in recent years, partly due to significant data breaches at companies like Starwood/Marriott, MGM, Star Alliance, and OneWorld, which exposed travelers’ sensitive information, including usernames and passwords. Additionally, fewer people traveled during the pandemic, which contributed to the problem.

“Many people don’t regularly check their account balances, and during the pandemic, they weren't using their points either,” Long explained. “At the same time, rewards programs issued a large number of points, increasing the targets for theft.”

He noted that the security regulations governing information in the travel industry are generally less stringent than those in regulated sectors like banking, wealth management, and healthcare. As a result, there are fewer penalties for breaches, leading to fewer protections for travelers.

Gary Leff, who shares insights on frequent flyer points and miles through his blog, ViewFromTheWing.com, remarked that while there is a widespread belief that points and miles theft is increasing, obtaining solid data to confirm this is challenging. Many loyalty programs keep their actual fraud statistics confidential.

Airlines are not very forthcoming about the specific measures they are implementing to prevent the theft of customer points and miles. When inquired, a representative from Delta stated, “Information security is definitely a focus for our teams as we strive to improve for our customers.” In a similar vein, a spokesperson from American Airlines emphasized, “Data security is paramount as our customers entrust us with their personal information during travel bookings and in our AAdvantage loyalty program. We are continually enhancing security on aa.com to better protect our members' information.”

Once hackers gain access to your account, they might exploit your points and miles for actual hotel stays and flights, or even redeem them at participating retailers like Amazon.

“Criminals may also choose to redeem the points for themselves and subsequently sell the rewards,” explained Steve Weisman, author of Identity Theft Alert and a professor at Bentley University specializing in white-collar crime. He cited an incident where Russian hackers did this in 2017 by using British Airways miles for upgrades, hotels, and rental cars, which they then sold to unsuspecting buyers through seemingly legitimate websites.

“They are highly organized, which may not be fully appreciated by the public,” Long stated. “They have substantial funding, develop software, and utilize various tools. When they acquire your personal information, they run it through automated systems to identify vulnerabilities. Once they breach your accounts, they will extract as much as they can. The travel sector is a significant and profitable target for them.”

Here’s what you should know to safeguard your points and miles accounts from hacking attempts.

How to safeguard your frequent flyer accounts

Unlike bank accounts, which provide monthly statements, travelers typically have to log in to check their points and miles balance, requiring more effort to stay informed about their accounts.

Effective password management—utilizing unique, complex passwords for each account—is essential in preventing hackers from accessing your information, Long emphasized. If you use the same password across multiple accounts (be it for a newspaper subscription, your Starbucks account, or Netflix) or create simple variations, and hackers obtain one, they will attempt to use it everywhere possible.

Gaining access to your mileage plan account can lead to chaos in other areas of your life. Typically, credit cards are linked to airline and hotel accounts, which hackers would also exploit. The more personal information they uncover (such as your employer, address, and phone number), the greater the potential harm they can inflict, including applying for credit cards or loans in your name.

Long recommends considering a password manager that can create strong passwords and keep track of them for you. Additionally, implementing two-factor authentication (which requires two forms of identification, like a password and a one-time PIN sent via text) can significantly slow down criminals.

Travelers can also fall victim to scams, according to Justin Lavelle, a scams prevention expert at BeenVerified.com. Often, they may receive emails or texts from someone pretending to be an airline, travel site, or agency, claiming they’ve won extra miles or a flight. These messages include a phone number or link to claim the prize. When victims follow through, they reach a scammer who asks for sensitive information, including airline account numbers. This information is then sold to other criminals. It's crucial to be wary of unexpected emails—if you don’t recognize the sender or if the message seems off, avoid clicking any links.

“The best way to protect your miles is to regularly check your account,” Leff advised. “While I can’t log into every airline site daily, I can visit AwardWallet.com, click one button, and update most (though not all) of my account balances. This way, I can quickly see if any points have been removed from my account without my knowledge.”

What actions should you take if your airline miles or hotel points are compromised?

Points are your personal assets; while they might not be physical like cash or gold, they still hold monetary value, and stealing them constitutes a crime.

Your first step should be to reach out to the airline or hotel and inform them that you did not authorize the use of those miles or points, requesting their return.

“Companies are not legally required to return your points or miles,” stated Ben Farrow, a LegalShield partner attorney. “There’s no law mandating it.”

However, he noted that most airlines and hotels often do restore points and miles to customers, particularly if the company was at fault—like if hackers breached their system and stole users' points. Customers can pursue legal action, and if the company is found liable, they would have to compensate for the losses. Nonetheless, Farrow mentioned that it is usually more favorable for companies to return points and miles to users.

“Loyal customers who have frequent flier miles are the ones they want to keep,” Farrow added. “So, most of the time, they’ll make exceptions for you.”

Be aware that after your points or miles are stolen, the hotel or airline might issue a new account number, which can complicate existing reservations, especially with partner airlines, and necessitate updating your frequent flier number with car rental and gas station partners where you earn miles.

If the airline or hotel refuses to refund your miles, Farrow suggests considering filing a criminal complaint with your local sheriff's department. Although law enforcement might struggle to apprehend the criminal—particularly if they operate from a country without extradition treaties with the U.S.—this will create a record of the crime. You could then report the matter to the Federal Trade Commission (FTC), citing the company's negligence with your data that led to your loss of points and miles. While the FTC may not investigate individual cases, it helps compile data, and if enough complaints arise, it can push for regulatory changes.

“Do you remember all those auto warranty calls? They got shut down after enough complaints were filed with the FTC,” Farrow pointed out. “Unless enough people voice their concerns about issues like this, change won’t happen.”

Sheryl Nance-Nash contributed to the reporting of this article.