Crazy Things Enable Loyalty Program Data Leakage

Crazy Things cause data leakage and theft

Blog contributed by Carlos Kizzee, Executive Vice President of Intelligence Operations & Legal Affairs, RH-ISAC.

Online shopping was already increasing before the pandemic. Since March of 2020 it has increased even more. Many consumers use retail, airline, and hotel loyalty programs to minimize transactional friction and to accrue valuable benefits. But what happens when personal information from those loyalty programs is leaked?

RH-ISAC and The Media Trust are exploring some of the unexpected aspects of online retail in our series, “Crazy Things that Happen in your Online Store Every Day.” In the fifth piece in the series, "Crazy Things You Wouldn’t See in a Hotel," focuses on loyalty program data leakage or theft. Loyalty programs work out great for everyone: the retail vendor, airline, or hotel gains a loyal, repeat customer and the customer saves money or earns frequent-use perks that can enhance their transactional experience and provide benefits that are not available to other customers. That said, when the loyalty program is used to capture the customer’s information, or the accrued benefits are siphoned from the loyal customer the retail, airline or hotel vendor can bring injury to their customer or raise the risk of losing their business.

Imagine a loyal customer staying at your hotel, enjoying platinum status as a frequent visitor. They come out of the elevator into the lobby and are horrified to find their details—and the details of a lot of other loyalty program members—posted in the lobby! Their personal contact data and card information, along with details of where and when they’ve stayed and even their personal preferences are on display. The customer not only will be embarrassed but would also furious and may leave the hotel…forever!

This sort of thing happens with depressing frequency, as customer loyalty program details are hacked and shared online by malicious actors. This is usually done in one of two ways. One is called transparent overlay—basically, the bad actors create a fake webpage that looks identical to the loyalty program page, enticing users to “log in”—which, of course, provides the bad actors with access to the customer’s loyalty program info. Alternately, there may be malicious code in the background of actual loyalty program pages, again allowing bad actors access to entire accounts’ worth of information.

There are ways to fix this problem:

  • Conduct period journey scans on sensitive pages of your loyalty program (registration, profile edit, card on file, etc). As always, you want to have as comprehensive a view as possible, so scan with a variety of variables—gender, location, profile type, etc.
  • Restrict access to sensitive pages to only those entities and companies you recognize. Ask those with access questions about their use of MarTech, AdTech, and others. Make sure you understand and are comfortable with their policies around data collection, and pay attention to any unauthorized or unrecognized activity, particularly data exfiltration.
  • Establish policies around third-party and vendor security and share those policies with those you have relationships with. 

RH-ISAC and The Media Trust will be looking into more surprising, unexpected, and flat-out crazy things that happen in digital stores that wouldn’t happen anywhere else. Check out the other blogs in this series:

  1. Crazy Things You Wouldn’t See in Brick & Mortar
  2. Crazy Things You Wouldn’t See in a Restaurant
  3. Crazy Things You Wouldn't See in a Retail Store
  4. Crazy Things You Wouldn't See in Curbside Pickup
  5. Crazy Things You Wouldn't See in a Hotel