Login

Loyalty and Cybersecurity: Don’t Risk a Breach

Loyalty programs are popular and influential, but they also carry cybersecurity risks. Arm yourselves with protective measures. 

Taylor Swift is considered the most famous and influential entertainer in the world, according to a recent article in “Vanity Fair” magazine. How is this statement qualified? By her number of Twitter followers (60 million), followed by her 140 million albums sold. 
 
Now what, you ask, does Taylor Swift’s social media power have to do with hotel loyalty programs? It’s simple: Many travelers choose their hotels through social channel chatter and customer reviews. 
 
Social media dominates our everyday world including our travel experiences. Hotel brands such as Marriott International and Kimpton Hotels & Restaurants have taken notice and offer loyalty program members opportunities to earn points or tangible rewards by following the brand’s social media profiles or tagging their brands in social media posts. 
 

-

Social media is used by many brands to increase guest satisfaction and increase online reputation, with the main goal of increasing guest loyalty. They’re working aggressively to transform traditional loyalty programs to meet the needs of millennials who demand immediate gratification, seamless electronic communication, faster ways to accumulate points and personalized service. Those brands that anticipate hotel guest needs likely will dominate their competitors in capturing the loyalty of the millennial traveler. In return, millennial travelers will reward these brands with incremental spend per stay. 
 
A win-win, but with risks
Sounds like a win-win, but with all the innovations in technology that go into creating these intelligent loyalty programs, increased cybersecurity risk is almost sure to follow. 
 
In order for these loyalty programs to offer the personalized service demanded by today’s traveler, customers are asked to share a significant amount of personal data, including income levels, travel schedules and credit card numbers. According to several studies, customers say they would reconsider continued participation if a data breach were to occur within their loyalty program. This jeopardizes loyalty to the brand and results in potential revenue loss. Loyalty to a certain brand implies trust in the provider. 
 
Because retaining a customer is far less costly than acquiring a new customer, hotel companies should designate significant resources to safeguard loyalty members’ personal information.
 
Many fraud prevention policies and controls are reactive rather than proactive. Further, loyalty members are less diligent with respect to active security practices when it comes to safeguarding access to their loyalty profile than with credit card and bank account information. 
 
With travel loyalty programs increasing in popularity and value (larger programs have valuations in the billions of dollars), cyber thieves have taken notice of the imbalance of ease/reward associated with hacking a loyalty program versus a bank account. Loyalty points can be monetized and used as a digital currency to buy jewelry, computers, and other valuable products via online shopping sites affiliated with hotel brands. Recent data breaches experienced by Hilton’ HHonors loyalty program, Starwood Preferred Guest, American’s AAdvantage and United’s MileagePlus demonstrate the prevalence of cyber risk and the need for companies offering these program to take a proactive approach to reducing the risk of loyalty account hacking. 
 
Loyalty program fraud occurs in three main ways: 
 
1. Inside the company by employees
Employees within the organization are able to perpetrate fraud due to insufficient processes and internal controls. An example of this type of fraud is when employees of the company enter their own loyalty number when customers do not have or do not enter a frequent guest number, thus accumulating points in their own accounts.
 
2. Through outside attacks by hackers
Accounts are taken over by cyber terrorists using false identities or stolen personal credentials. An example includes using the data from a boarding pass left on a seat by a passenger who does not have a frequent flyer account number. In another example, hackers can exploit weak security systems and passwords to gain access to program accounts.
 
3. By customers themselves
Loyalty members perpetrate fraud by not abiding by program rules and allowing family members to take over accounts or selling points to “mileage brokers,” who then resell award tickets as discounted business or first-class travel.
 
Put protections in place
Here are some practical steps for brands to consider in minimizing cybersecurity risk:
 

  • Educate loyalty members regularly about the potential risks of a data breach and urge increased monitoring of account activity, regularly changing passwords, and avoiding using the same password for multiple sites, which reduces the possibility of a hacker obtaining access to multiple sites. Brands should consider rewarding customers who demonstrate active security practices by offering complimentary points for those members who regularly change their passwords.
  • Implement a system in which customers are notified via email or text message when a password or email address has been changed.
  • Implement a two-factor authentication process, which adds more reliance on personal devices. An example of this technique is a user receiving a code on his mobile phone after inputting his login and password on the website. The code is then entered on the site as a second authentication step.

  Customer loyalty is an invaluable asset for a brand. By implementing proactive measures to protect against cyber risk, the risk of losing this asset will be minimized.
 
Deborah S. Friedland is a Director in the Corporate Finance Group of EisnerAmper. Deborah specializes in feasibility and benchmarking studies, operational strategy analysis, property conversion analysis, asset management, valuation, and transactional due diligence for investors and lenders. With over 20 years of experience, Deborah has advised clients in connection with the acquisition, finance, conversion or operation of real estate including hospitality, gaming, restaurant, industrial, commercial, mixed- use, golf course, and amusement park properties as well as numerous REITs dedicated to investing in such properties. She has structured master leases for taxable and non-taxable REIT structures involving public and private projects. Deborah has been involved in the successful turnaround of numerous hotels, resorts, restaurants, and mixed-use properties. She is also involved in the firm’s Real Estate Services Group.
 
The opinions expressed in this column do not necessarily reflect the opinions of Hotel News Now or its parent company, STR and its affiliated companies. Columnists published on this site are given the freedom to express views that might be controversial, but our goal is to provoke thought and constructive discussion within our reader community. Please feel free to comment or contact an editor with any questions or concerns.