Loyalty Points Were Also a Target in Marriott Hack

  • Skift Take
    We look forward to reading complaints in points message boards by hackers to dissatisfied with Marriott’s new redemption structure.

    It’s not just your credit card number that hackers want anymore. It’s your points.

    Marriott International Inc.’s disclosure on Friday that it’s investigating how hackers siphoned data from 500 million guests is the latest example of fraudsters targeting the $238 billion loyalty industry. Hackers have found it’s increasingly easy to access rewards portals and quickly redeem consumers’ hard-earned points and miles for gift cards or hotel stays.

    “It’s very easy for fraudsters to launder loyalty points,” said Michael Reitblat, chief executive officer of Forter, a company that helps retailers fight fraud. “More and more organizations are offering loyalty points because it does create repeat-buying habits, but when they’re exposed it becomes a massive liability.”

    Marriott said Friday that hackers over four years accessed records on as many as 500 million Starwood hotel guests — data that included, in many cases, passport numbers, travel histories, loyalty program accounts and encrypted credit card data. Marriott bought Starwood Hotels & Resorts Worldwide in 2016, and completed the integration of the two companies’ rewards programs earlier this year. Marriott’s shares slumped as much as 6.9 percent as regulators, investors and customers assessed the fallout from the hack.

    Marriott joins the ranks of airlines and hotel chains, such as Hilton Worldwide Holdings Inc. and British Airways, that have had to deal with the fallout from data breaches of their loyalty programs. In the U.S., consumers maintain 3.3 billion memberships in such programs, earning roughly $48 billion worth of points and miles each year, according to Chargebacks911, a risk mitigation firm that helps merchants handle fraud. About 72 percent of loyalty programs have experienced fraud.

    The data associated with these programs has become increasingly valuable to criminals: on the dark web, a consumer’s Social Security number often sells for $1, while loyalty-account information can fetch 20 times that, according to data from Experian Plc.

    Here’s how it works: After a fraudster gains access to a customer’s loyalty account, the easiest payoff comes from cashing in points or miles for gift cards or physical goods from the program’s shopping portal. In some cases, points will be redeemed for hotel stays or flights, which are later canceled in exchange for a gift card. Unlike credit-card issuers, loyalty-program operators might not be obligated to make defrauded customers whole.

    ‘Short Window’

    “With a credit-card number, there’s a short window of time that a criminal can exercise using that card” before the person calls the issuer to get a replacement, Katherine Keefe, who leads breach response services at insurer Beazley Plc, said in an interview Friday. “So there’s a really almost a limited amount of damage that can be done there.”

    Hotels, airlines and retailers often operate at a disadvantage when it comes to combating fraud because they want to make it easy for customers to redeem their rewards — meaning hackers can have an easier time accessing accounts too. Customers also check their loyalty accounts less frequently, meaning they’re less likely to notice if their points are stolen.

    “This is a brand new area of concern,” said Dave Andreadakis, chief strategy officer at Kobie Marketing, which helps retailers develop loyalty programs. “There’s an increased sophistication and education amongst fraudsters that this is something that can be leveraged for fraud.”

    The rise in loyalty fraud has led to changes in insurance coverage. Some insurers have been adding coverage to help their corporate clients mitigate the financial pain caused by the loss of customers after a hack, according to Lindsey Nelson of CFC Underwriting Ltd.

    “Where customers can be the largest asset of any organization in terms of its reward and loyalty programs, there can be a severe impact to future sales following the breach, which is something that’s overlooked in cyber policies,” said Nelson, CFC’s international cyber team leader.

    Protection for reputational loss doesn’t come with every cyber policy, but more insurers have been offering it in recent years, said Robert Parisi, insurance brokerage Marsh LLC’s cyber product leader, who declined to comment on Marriott’s situation in particular.

    ©2018 Bloomberg L.P.


    This article was written by Jenny Surane and Katherine Chiglinsky from Bloomberg and was legally licensed through the NewsCred publisher network. Please direct all licensing questions to

    Photo Credit: Exterior of a Marriott hotel. The company is dealing with a hack that happened at Starwood's SPG program. Bloomberg
    Subscribe Now

    Already a member?

    Subscribe to Skift Pro to get unlimited access to stories like these ($30/month)

    Your story count resets on {{monthly_reset}}

    Subscribe Now

    Up Next


    Marriott CEO Juggles Growth Ambitions With Plan to Go Net-Zero by 2050

    Anthony Capuano revealed an an ambitious sustainability plan at Skift Global Forum on Wednesday, which puts a lot of the onus on franchise owners and partners.

    Online Travel

    How Far Will Google Take New Hotel and Environment Claims?

    It's a nice step for Google to provide more information about hotels' sustainability practices in search results. But will the company have the guts to get "political," in the eyes of some, and push hotel listings higher or lower based on environmental practices?

    Online Travel

    Expedia Consolidates 3 Loyalty Programs With New Rewards for Vacation Rentals

    With Marriott Bonvoy making loyalty inroads, and subscription programs having a moment, Expedia Group is consolidating its far-flung loyalty programs in a move that coincides with its strategy to simplify its operations.