Expect a record number of travelers to take to the skies over the upcoming holiday season. Between November 20th and December 1st, 2015, an additional 65,000 people more than the daily average flew to destinations all over the world. Many travelers rely on banked frequent flyer miles to pay for their trips. But, some cyber criminals are preventing their victims from making it off the ground.
American Airlines AAdvantage, Delta SkyMiles, and United MileagePlus are among some of the big carriers’ travel rewards programs. They offer similar benefits such as free trips, seat upgrades, free checked baggage and early boarding in return for customer loyalty. Some programs allow customers to redeem miles for car rentals or hotel stays. Records containing trip information, mileage, and how rewards are redeemed are kept in accounts accessible to program members online.
Flying for Free
A former Florida International University student racked up trips and car rentals worth more than $260,000 from hacking into American Airlines accounts in 2016. During the holiday travel season in 2015, 10,000 American Airlines AAdvantage accounts and dozens of United accounts were compromised. Thieves used customers’ login credentials found elsewhere to access the frequent flyer program accounts to book trips and upgrade seats. The credentials were stolen from another source, but customers using the same login and password for their frequent flyer programs left themselves open to the attacks. Earlier that same year, hackers used brute-force attacks to steal Lufthansa customers’ miles. The attackers used a botnet to try virtually every possible combination of characters until passwords were compromised.
Around the same time, airline employees and hackers redeemed more than $23,000 worth of stolen miles from Air India accounts. Another breach exposed tens of thousands of British Airways accounts as well.
In these cases, the airlines restored customers’ banked mileage.
It’s not just mileage that is up for grabs. Many accounts contain a treasure trove of personal information for cybercriminals: full names, dates of birth, security question answers, credit card numbers, last four digits of Social Security Numbers, and known traveler numbers. Researchers at Kapersky Lab uncovered the practice of hackers using stolen miles in a black-market exchange with other thieves for stolen credit card numbers or access to a botnet.
Keeping Accounts Safe
In many instances, passengers need to take a few simple steps to keep their personal information, and miles, safe. Printed boarding passes contain much of the data needed to access frequent flyer accounts. Passenger names, account numbers, and flight data are all visible. How many times have you thrown your boarding pass away in an airport trash can? They should be shredded like bank statements and bills.
IT professionals advise consumers to use unique credentials and strong passwords for every account. Customers should also be wary of phishing scams. Emails or phone calls masquerading as requests from trusted sources are thieves looking to acquire sensitive login, password, or personal information.
Cyber criminals are stealing frequent flyer miles from airline passengers for travel and black-market currency. Major carriers such as Delta, United, American, British Airways, Air India, and Lufthansa report compromised customer accounts in 2015 and 2016. Hackers are also obtaining personal information like full names, dates of birth, security question answers, known traveler numbers, and credit card numbers within the accounts. Customers can protect their personal information by creating strong passwords, using unique credentials, and destroying paper records with account information.
In preparation for the Certified Information Privacy Technologist exam, a privacy professional should be comfortable with topics related to this post, including:
- Stakeholders Expectations for Privacy (I.C.)
- Security Safeguards (II.C.e.)