As travel managers and corporations consider tying their travel
programs more formally to supplier loyalty programs—and encouraging travelers
to participate in them—data security should form a critical part of the
discussion, as supplier loyalty program systems have proven additionally
vulnerable to hacking.
A Global Business Travel Association report released in July showed
that 20 percent of travel managers considered hotel loyalty programs “very” or
“extremely” important to supplier negotiations and selections. Moreover, 72
percent of respondents were “somewhat” or “very” interested in partnering with
hotel loyalty programs to drive bookings through preferred channels by offering
bonus points or some other benefit.
In 2014, hackers breached the membership rewards programs of American
Airlines, Hilton Worldwide and United Airlines. American and United both
confirmed to Travel Procurement that their own systems were not hacked;
rather, the infiltrators penetrated their rewards programs through third
parties.
“Points are a form of currency. So if you can break into an account and
move points out, you’ve essentially stolen money,” said Rurik Bradbury, chief
marketing officer of fraud protection service Trustev.
Because loyalty programs don’t process or store credit card data,
they’re not bound by the Payment Card Industry Data Security Standard, which
requires all companies that do process card data to maintain a secure
environment. Bottom line: Rewards-scheme logins and security authentications
aren’t as secure as systems that handle credit cards.
Merchants also are not required to report a loyalty program data breach
to the public as they would a card breach. These breaches are less noticeable,
as people aren’t as vigilant of their accounts; members aren’t always aware of
their balances, nor do they check for unauthorized transactions as often as
they would their bank and credit card accounts, said Trustev CEO and co-founder
Pat Phelan.
Why Buyers
Should Be Concerned
Oracle has seen at least one case of a loyalty account being breached,
said global travel director Rita Visser. Oracle didn’t take action in that
case, as employees are responsible for managing their own rewards accounts, and
she questions whether and when it becomes a corporate liability. “I don’t know
the answer to that,” she said. “If there’s a corporate liability, we’re always
doing the right thing.”
Visser is more concerned about the data available in traveler profiles.
“Home address, emergency contacts, phone numbers, date of birth—that info sits
in a Sabre profile,” she said. “A breach of data on that site scares the heck
out of me.” That’s because Oracle travelers are on file with Sabre, whereas
only isolated employees sign up for loyalty schemes, and they personally opt to
do so.
Still, there’s plenty of data overlap between loyalty programs and
traveler profiles, as well as credit cards, and as travel managers consider
integrated loyalty agreements, the risk increases.
An American Airlines spokesperson told Travel Procurement that
the carrier’s loyalty program doesn’t collect credit card numbers or
date-of-birth information, but a cursory search of several major airline and
hotel loyalty program registration sites—including the largest carriers and
chains—showed that they do require members to provide their addresses and phone
numbers. At least one hotel chain loyalty program requested—but did not
require—a birth month and year for promotional purposes and another offered a
shortcut registration that authorized a data pull from Facebook in lieu of
filling out an online form. Further, Phelan pointed out that people tend to
align their credit card to airline and hotel points.
And once hackers tap loyalty data, they don’t pack up and go home.
“These loyalty programs are a gateway drug,” Phelan said. “Once they’re in,
there’s enough in there about you that they can start figuring stuff out pretty
rapidly. They have a credit card, name, address, maybe a date of birth. Now
they’re really close to getting a social security number.”
As SNDR founder and CEO Shaun Murphy puts it, “Hackers are in this for
the long con. Every bit of data they get on you, it’s just adding to the bigger
picture.”
Business
Travelers Should Remain Vigilant
Although people continually are warned not to use the same username and
password for multiple accounts, they do. It’s understandable; it’s difficult to
keep track of so many username and password combinations.
Liable or not, corporations are wise to encourage or even require
travelers to diversify security credentials related to corporate travel and
card and to remain vigilant with their personal information.
Even if the loyalty program doesn’t tie to a credit card or date of
birth, bank and email accounts that share the same username and password might.
Hackers’ initially aimed to drain accounts of points, trade them for tangible
goods like airline tickets and hotel stays and resell those for cash, but their
goals have become loftier.
Once the hackers are inside a merchant’s network, even if it’s just the
loyalty scheme, “it’s pretty easy for the criminal to jump or hop into other
parts of the network if they don’t have the segregation that they need between
the nonpayment and the payment side of the business,” said Verifone chief
security officer Joe Majka. “Once they get a foothold into the nonpayment side,
they begin to scan the networks. What they’re looking for is the admin ID and
credential. Once they capture that, it gives them the keys to the kingdom that
allows them to access any part of that network.”
—Additional reporting
by Julie Sickel