Thousands of customer accounts of frequent American Airlines and United Airlines travelers have been compromised, with hackers going as far as booking themselves several free trips or upgrades.
On Monday, American Airlines spokeswoman Martha Thomas told The Associated Press the airline had notified nearly 10,000 affected customers of the incident, which occurred late December. As a result, certain accounts have been frozen while new accounts are set up.
Additionally, United Airlines spokesman Luke Punzenberger stated cybercriminals made mileage transactions or booked trips on up to three dozen loyalty program accounts. However, Punzenberger added that United Airlines plans to restore all stolen miles from impacted customers.
Thomas, as well as Punzenberger, confirmed the airlines’ systems were not hacked – rather, the hackers reused stolen login credentials to attempt to compromise the accounts of American’s AAdvantage and United’s MileagePlus users. Other information, such as entire credit-card numbers, was not exposed.
The incident has since been referred to the FBI, said Thomas.
“Air miles and loyalty programs are low-hanging fruit for hackers,” commented Tripwire security analyst Ken Westin.
“Although air miles and points can be used as a form of currency to purchase trips, hotel stays and other goods and services, they generally lack the security controls you would usually see with traditional forms of currency, such as with credit card transactions.”
Westin adds most of the websites for accessing these accounts have had woefully inadequate security with improper password policies, and lacking a two-factor authentication option for better security.
“The fact that these miles and points can be traded in underground markets in exchange for bitcoin or other forms of crypto currency – paired with the lax security to gain access to the accounts – creates a perfect opportunity for the enterprising hacker to generate income from their exploits,” said Westin.
Last year, a similar breach impacted millions of Hilton HHonors customers after their rewards points were stolen and sold online by scammers for gift cards and other goods in return.