It’s not just your credit card number that hackers want anymore. It’s your points.
Marriott International Inc’s disclosure on Nov 30 that it’s investigating how hackers siphoned data from 500 million guests is the latest example of fraudsters targeting the US$238bil (RM990.31bil) loyalty industry. Hackers have found it’s increasingly easy to access rewards portals and quickly redeem consumers’ hard-earned points and miles for gift cards or hotel stays.
“It’s very easy for fraudsters to launder loyalty points,” said Michael Reitblat, chief executive officer of Forter, a company that helps retailers fight fraud. “More and more organisations are offering loyalty points because it does create repeat-buying habits, but when they’re exposed it becomes a massive liability.”
Marriott said Nov 30 that hackers over four years accessed records on as many as 500 million Starwood hotel guests – data that included, in many cases, passport numbers, travel histories, loyalty programme accounts and encrypted credit card data. Marriott bought Starwood Hotels & Resorts Worldwide in 2016, and completed the integration of the two companies’ rewards programmes earlier this year. Marriott’s shares slumped as much as 6.9% as regulators, investors and customers assessed the fallout from the hack.
Marriott joins the ranks of airlines and hotel chains, such as Hilton Worldwide Holdings Inc and British Airways, that have had to deal with the fallout from data breaches of their loyalty programmes. In the US, consumers maintain 3.3 billion memberships in such programmes, earning roughly US$48bil (RM199.75bil) worth of points and miles each year, according to Chargebacks911, a risk mitigation firm that helps merchants handle fraud. About 72% of loyalty programmes have experienced fraud.
The data associated with these programmes has become increasingly valuable to criminals: on the dark web, a US consumer’s Social Security number often sells for US$1 (RM4), while loyalty-account information can fetch 20 times that, according to data from Experian Plc.
Here’s how it works: After a fraudster gains access to a customer’s loyalty account, the easiest payoff comes from cashing in points or miles for gift cards or physical goods from the programme’s shopping portal. In some cases, points will be redeemed for hotel stays or flights, which are later cancelled in exchange for a gift card. Unlike credit-card issuers, loyalty-programme operators might not be obligated to make defrauded customers whole.
“With a credit-card number, there’s a short window of time that a criminal can exercise using that card” before the person calls the issuer to get a replacement, Katherine Keefe, who leads breach response services at insurer Beazley Plc, said in an interview Nov 30. “So there’s a really almost a limited amount of damage that can be done there.”
Hotels, airlines and retailers often operate at a disadvantage when it comes to combating fraud because they want to make it easy for customers to redeem their rewards – meaning hackers can have an easier time accessing accounts too. Customers also check their loyalty accounts less frequently, meaning they’re less likely to notice if their points are stolen.
“This is a brand new area of concern,” said Dave Andreadakis, chief strategy officer at Kobie Marketing, which helps retailers develop loyalty programmes. “There’s an increased sophistication and education amongst fraudsters that this is something that can be leveraged for fraud.”
The rise in loyalty fraud has led to changes in insurance coverage. Some insurers have been adding coverage to help their corporate clients mitigate the financial pain caused by the loss of customers after a hack, according to Lindsey Nelson of CFC Underwriting Ltd.
“Where customers can be the largest asset of any organisation in terms of its reward and loyalty programmes, there can be a severe impact to future sales following the breach, which is something that’s overlooked in cyber policies,” said Nelson, CFC’s international cyber team leader.
Protection for reputational loss doesn’t come with every cyber policy, but more insurers have been offering it in recent years, said Robert Parisi, insurance brokerage Marsh LLC’s cyber product leader, who declined to comment on Marriott’s situation in particular. – Bloomberg