NEW YORK (MainStreet) — United Airlines and American Airlines have both now acknowledged that their mileage loyalty programs - MileagePlus at United, AAdvantage at American - have been hacked.
This follows on the hacking late last year of the HHonors loyalty program at Hilton.
At United, it is believed that only a handful of accounts - possibly as few as three dozen - had miles stolen from their accounts. At American, the company said in a written statement: “We are notifying our impacted customers and have locked the accounts that may have been compromised and are letting them know that their miles are safe. We have identified only a handful of cases where miles were used without the account holders’ authorization and tied to this account breach. We’ve already restored these miles to these customers’ accounts. American will do the same for any other affected customer who has experienced unauthorized access to their AAdvantage account as it continues its investigation.”
Both airlines put the blame on customer reuse of email addresses and passwords at multiple sites. American said: “American Airlines recently discovered an unauthorized third party obtained usernames and passwords from sites other than American’s and used them to access a limited number of AAdvantage accounts.”
United media relations staffer Luke Punzenberger elaborated: “Unknown and unauthorized parties attempted to access MileagePlus accounts by using usernames and passwords that are valid for sites unrelated to United Airlines. We temporarily suspended these accounts and worked with the account holders to make sure their information is secure.” For its part, United has disabled access to its MileagePlus program via usernames and/or email addresses. For now, access requires a MileagePlus account number.
Still worse news: many experts believe there will be more such compromises of loyalty programs. The reason is simple: the points or miles are cash equivalents but, said David Amsler, founder of Foreground Security in Florida, “the providers have erred on the side of convenience. They have made it easy to log in.”
“They just are not protected the way bank account and credit cards are,” said Ken Westin, a security expert with Tripwire in Oregon.
Amsler, incidentally, said he first heard about the United hack when, over the holidays, he could not log into his MileagePlus account because it would not allow entry via the username and email address he traditionally used. When he could not recall his MileagePlus account number, he called United, and a rep told him about the hack.
Amsler added that what concerns him is not necessarily the mileage balance as such.
“That’s x’s and o’s -- it’s easy to restore stolen miles,” he said. What does concern him is all the other information in his MileagePlus record, including a credit card number, passport number and more.
As for upping security at these sites, Amsler pointed out that the ones he has looked at do not put a limit on the number of attempted logins before an account is locked. Banks, for instance, typically allow three failed attempts before an account is locked. Unlocking it requires a call to customer service.
Westin said that he would like to see such sites offer opt-in two factor authentication at log in - where, for instance, the user receives an SMS with a code that has to be inputted at the site before gaining entry.
Why isn’t such security in place? Experts shrug and say it appears to be money that is stopping airlines and hotel companies from improving security.
“A silver lining is that these breaches embarrass companies,” said Westin. “They may upgrade security as a result.”
As for what users can do to protect themselves, Westin said that the one, simple step to take is not to reuse login credentials at multiple websites.
“Use a unique login at every site,” he advised. That may involve using a password manager - after a dozen or so logins, who can remember more? But the inconvenience of that is outweighed by the safety of knowing that you won’t see important accounts hacked simply because you used the same login at multiple sites, some of which got penetrated.
As for what else to do now, travel blogger Johnny Jet offered an urgent to-do: “Customers should check their accounts often to make sure they haven’t been hacked.” Do it at United, also American, but a smart precaution is to cycle into all key loyalty accounts, because, if the security experts are right, 2015 will be a year of many breaches of such programs and vigilance just may pay off.
—Written by Robert McGarvey for MainStreet