Miles Stolen; American, United and Delta Frequent Flier Accounts Breached
H ave you checked in on your frequent flier loyalty account activity within the past month?
Perhaps you should, as a number of members of the frequent flier loyalty programs of American Airlines, United Airlines and Delta Air Lines have become victims of having their accounts breached and compromised where thieves have stolen their user names and passwords and have redeemed their miles for free trips and upgrades — similar to the attacks on members of the Hilton HHonors frequent guest loyalty program accounts within the past few months.
“In the past 4 weeks I have had miles stolen 2 times”, posted FlyerTalk member Chrislorl pertaining to Delta Air Lines SkyMiles. “The first was for two tickets from an airport in Russia to Hong Kong. I found it withing 6 hours (when I woke up). They had gotten into my account, changed the email address and booked the tickets. Delta confirmed that the seats were not used due to lack of a proper Visa when checking on to the Air France flight. My miles were restored within 3 days.”
Despite thorough measures being taken by Chrislorl — such as having the password changed for the SkyMiles account, all e-mail accounts, and other accounts and items changed; the computer scanned twice; as well as the telephone restored and scanned — “last week 3 tickets from the same airport to Denmark. This time they were checked in and waiting for a KLM flight. Delta told me they had contacted the authorities in that airport and would handle it. Again I changed everything that night.”
Meanwhile, two of a number of FlyerTalk members affected by the security breach with their American Airlines AAdvantage frequent flier loyalty program accounts shared their experiences: FlyerTalk member austin_modern reported that “All my 500 mile upgrade stickers are gone”; and FlyerTalk member poolc posted that “I did not get any emails but suddenly this morning I was no longer able to log in or reset my password. I called AA and they told me my account number had changed and I should call Aadvantage Customer Service on Monday when they open to clear things up.”
The agent told poolc that “my new account number and I was able to login with it. The new account has my mileage balance, Exec Plat status, and system wide upgrade balance, but nothing else. No past activity, none of my 4 upcoming itineraries, my 10 500-mile upgrades are missing, all personal info except my name and home address were gone.”
Similarly to the Hilton HHonors frequent guest loyalty program, access to accounts of the United Airlines MileagePlus frequent flier loyalty program only requires a personal identification number comprising of four digits — something which used to be the criterion to access a Delta Air Lines SkyMiles account until October 29, 2014, when the personal identification number was suddenly required to be changed to a more secure password — so it is no surprise that many FlyerTalk members started reporting late last month that they were affected by the security breach with their United Airlines MileagePlus frequent flier loyalty program accounts and shared their experiences as well.
“I hope this incident serves as a wake-up call for United and that they finally allow some way to disable the 4-digit PIN code entirely”, posted FlyerTalk member rmannion. “It’s absurd in this day and age that such a shoddy security mechanism is in place and enforced.”
I want to pause for a moment to apologize to The Gate reader Pete, who commented back on November 1, 2014 — shortly before the security breaches: “Brian you should also do a write up about United they use the 4 digit pin for login. Like Hilton it can’t be disabled. It also has to be provided to the customer service personnel when calling them. I believe the only way to get these companies to change sometimes is to put public pressure on them.”
Please accept my apologies, Pete. I should have been more diligent about honoring your excellent request. Unfortunately — despite this article which I posted — the log-in criterion for accessing a Hilton HHonors account still has not changed to a more secure method…
…that is, other than a CAPTCHA — which is an acronym for Completely Automated Public Turing test to tell Computers and Humans Apart — program was added earlier this month to the area where you log into your Hilton HHonors frequent guest loyalty program account; but that apparently has not been enough to stop what is being called the “hacking” of accounts.
David Keonig of the Associated Press had covered the aspect of this story pertaining to American Airlines and United Airlines, whose representatives have said that “the incidents happened in late December. American began notifying affected customers by email on Monday, a spokeswoman said.”
Spokespeople from both United Airlines and American Airlines told David Keonig the following statements:
United Airlines spokesman Luke Punzenberger said thieves booked trips or made mileage transactions on up to three dozen accounts. United notified customers in late December, and Punzenberger said the airline would restore miles to anyone who had them stolen.
American Airlines spokeswoman Martha Thomas said that about 10,000 accounts were affected and some have been frozen while the airline and customer set up new accounts, starting with customers who have at least 100,000 miles. She said the airline has learned of two cases in which somebody booked a free trip or upgrade without the account holder’s knowledge.
While it may be of little comfort, even the Central Command of the United States military is not immune to “cyber-attacks.”
FlyerTalk member packetboy — who claims to be “a cyber fraud investigator” — offers the following information and advice:
I’ve actually done briefings on the Rewards Points fraud issue…it has been accelerating over the last couple of years.
There are three usual root causes to this issue:
1) You feel for a phishing attack and gave up your credentials (guessing this is NOT the issue)
2) Your machine (or ANY machine you used to login to your account) is compromised with a trojan that logs all your keystrokes (aka: ‘keylogger’) (this is why you should never login to your account from an untrusted PC like a hotel business center). BTW: Letting your kids use your PC now makes your PC untrusted.
3) You used the same password for your Delta account on other websites *and* one of those website got hacked into. Criminals routinely take passwords from these compromises and replay them against other web sites where there is money (or points) to be stolen. For more background on this issue Google: CyberVor
You should be made whole, but everyone should take steps to protect your accounts almost as well as you would a bank account…it is a prime target and I wouldn’t be surprised if this problem escalates to a point where airlines stop taking the liability for this kind of fraud..they certainly have no legal liability to do so.
How about this idea, airlines and lodging companies: perhaps invest some of the billions of dollars in profit into strengthening the information technology aspect to ensure that sensitive data is as secure as possible for members of your frequent travel loyalty programs; and do it with as little inconvenience as possible to them.
Is that too much to ask?!?