Miles Stolen; American, United and Delta Frequent Flier Accounts Breached
H ave you checked in on your frequent flier loyalty account activity within the past month?
Perhaps you should, as a number of members of the frequent flier loyalty programs of American Airlines, United Airlines and Delta Air Lines have become victims of having their accounts breached and compromised where thieves have stolen their user names and passwords and have redeemed their miles for free trips and upgrades — similar to the attacks on members of the Hilton HHonors frequent guest loyalty program accounts within the past few months.
“In the past 4 weeks I have had miles stolen 2 times”, posted FlyerTalk member Chrislorl pertaining to Delta Air Lines SkyMiles. “The first was for two tickets from an airport in Russia to Hong Kong. I found it withing 6 hours (when I woke up). They had gotten into my account, changed the email address and booked the tickets. Delta confirmed that the seats were not used due to lack of a proper Visa when checking on to the Air France flight. My miles were restored within 3 days.”
Despite thorough measures being taken by Chrislorl — such as having the password changed for the SkyMiles account, all e-mail accounts, and other accounts and items changed; the computer scanned twice; as well as the telephone restored and scanned — “last week 3 tickets from the same airport to Denmark. This time they were checked in and waiting for a KLM flight. Delta told me they had contacted the authorities in that airport and would handle it. Again I changed everything that night.”
The agent told poolc that “my new account number and I was able to login with it. The new account has my mileage balance, Exec Plat status, and system wide upgrade balance, but nothing else. No past activity, none of my 4 upcoming itineraries, my 10 500-mile upgrades are missing, all personal info except my name and home address were gone.”
“I hope this incident serves as a wake-up call for United and that they finally allow some way to disable the 4-digit PIN code entirely”, posted FlyerTalk member rmannion. “It’s absurd in this day and age that such a shoddy security mechanism is in place and enforced.”
I want to pause for a moment to apologize to The Gate reader Pete, who commented back on November 1, 2014 — shortly before the security breaches: “Brian you should also do a write up about United they use the 4 digit pin for login. Like Hilton it can’t be disabled. It also has to be provided to the customer service personnel when calling them. I believe the only way to get these companies to change sometimes is to put public pressure on them.”
Please accept my apologies, Pete. I should have been more diligent about honoring your excellent request. Unfortunately — despite this article which I posted — the log-in criterion for accessing a Hilton HHonors account still has not changed to a more secure method…
…that is, other than a CAPTCHA — which is an acronym for Completely Automated Public Turing test to tell Computers and Humans Apart — program was added earlier this month to the area where you log into your Hilton HHonors frequent guest loyalty program account; but that apparently has not been enough to stop what is being called the “hacking” of accounts.
Spokespeople from both United Airlines and American Airlines told David Keonig the following statements:
United Airlines spokesman Luke Punzenberger said thieves booked trips or made mileage transactions on up to three dozen accounts. United notified customers in late December, and Punzenberger said the airline would restore miles to anyone who had them stolen.
American Airlines spokeswoman Martha Thomas said that about 10,000 accounts were affected and some have been frozen while the airline and customer set up new accounts, starting with customers who have at least 100,000 miles. She said the airline has learned of two cases in which somebody booked a free trip or upgrade without the account holder’s knowledge.
1) You feel for a phishing attack and gave up your credentials (guessing this is NOT the issue)
2) Your machine (or ANY machine you used to login to your account) is compromised with a trojan that logs all your keystrokes (aka: ‘keylogger’) (this is why you should never login to your account from an untrusted PC like a hotel business center). BTW: Letting your kids use your PC now makes your PC untrusted.
3) You used the same password for your Delta account on other websites *and* one of those website got hacked into. Criminals routinely take passwords from these compromises and replay them against other web sites where there is money (or points) to be stolen. For more background on this issue Google: CyberVor
You should be made whole, but everyone should take steps to protect your accounts almost as well as you would a bank account…it is a prime target and I wouldn’t be surprised if this problem escalates to a point where airlines stop taking the liability for this kind of fraud..they certainly have no legal liability to do so.
How about this idea, airlines and lodging companies: perhaps invest some of the billions of dollars in profit into strengthening the information technology aspect to ensure that sensitive data is as secure as possible for members of your frequent travel loyalty programs; and do it with as little inconvenience as possible to them.