Skip to content

Trends & Developments - March 2016 - Hospitality Management - Loyalty and Cybersecurity: Don’t Risk a Breach

Mar 16, 2016

Taylor Swift is considered the most famous and influential entertainer in the world, according to a recent article in “Vanity Fair” magazine. How is this statement qualified? By her number of Twitter followers (60 million), followed by her 140 million albums sold.

Now what, you ask, does Taylor Swift’s social media power have to do with hotel loyalty programs? It’s simple: Many travelers choose their hotels through social channel chatter and customer reviews. 

Social media dominates our everyday world including our travel experiences. Hotel brands such as Marriott International and Kimpton Hotels & Restaurants have taken notice and offer loyalty program members opportunities to earn points or tangible rewards by following the brand’s social media profiles or tagging their brands in social media posts. 

Social media is used by many brands to increase guest satisfaction and increase online reputation, with the main goal of increasing guest loyalty. They’re working aggressively to transform traditional loyalty programs to meet the needs of millennials who demand immediate gratification, seamless electronic communication, faster ways to accumulate points and personalized service. Those brands that anticipate hotel guest needs likely will dominate their competitors in capturing the loyalty of the millennial traveler. In return, millennial travelers will reward these brands with incremental spend per stay. 

A win-win, but with risks

Sounds like a win-win, but with all the innovations in technology that go into creating these intelligent loyalty programs, increased cybersecurity risk is almost sure to follow. 

In order for these loyalty programs to offer the personalized service demanded by today’s traveler, customers are asked to share a significant amount of personal data, including income levels, travel schedules and credit card numbers. According to several studies, customers say they would reconsider continued participation if a data breach were to occur within their loyalty program. This jeopardizes loyalty to the brand and results in potential revenue loss. Loyalty to a certain brand implies trust in the provider. 

Because retaining a customer is far less costly than acquiring a new customer, hotel companies should designate significant resources to safeguard loyalty members’ personal information.

Many fraud prevention policies and controls are reactive rather than proactive. Further, loyalty members are less diligent with respect to active security practices when it comes to safeguarding access to their loyalty profile than with credit card and bank account information. 

With travel loyalty programs increasing in popularity and value (larger programs have valuations in the billions of dollars), cyber thieves have taken notice of the imbalance of ease/reward associated with hacking a loyalty program vs. a bank account. Loyalty points can be monetized and used as a digital currency to buy jewelry, computers, and other valuable products via online shopping sites affiliated with hotel brands. Recent data breaches experienced by Hilton’ HHonors loyalty program, Starwood Preferred Guest, American’s AAdvantage and United’s MileagePlus demonstrate the prevalence of cyber risk and the need for companies offering these program to take a proactive approach to reducing the risk of loyalty account hacking. 

Loyalty program fraud occurs in 3 main ways: 

  1. Inside the company by employees – Employees within the organization are able to perpetrate fraud due to insufficient processes and internal controls. An example of this type of fraud is when employees of the company enter their own loyalty number when customers do not have or do not enter a frequent guest number, thus accumulating points in their own accounts.
  2. Through outside attacks by hackers – Accounts are taken over by cyber terrorists using false identities or stolen personal credentials. An example includes using the data from a boarding pass left on a seat by a passenger who does not have a frequent flyer account number. In another example, hackers can exploit weak security systems and passwords to gain access to program accounts.
  3. By customers themselves – Loyalty members perpetrate fraud by not abiding by program rules and allowing family members to take over accounts or selling points to “mileage brokers,” who then resell award tickets as discounted business or first-class travel.

Put protections in place

Here are some practical steps for brands to consider in minimizing cybersecurity risk:

  • Educate loyalty members regularly about the potential risks of a data breach and urge increased monitoring of account activity, regularly changing passwords, and avoiding using the same password for multiple sites, which reduces the possibility of a hacker obtaining access to multiple sites. Brands should consider rewarding customers who demonstrate active security practices by offering complimentary points for those members who regularly change their passwords.
  • Implement a system in which customers are notified via email or text message when a password or email address has been changed.
  • Implement a 2-factor authentication process, which adds more reliance on personal devices. An example of this technique is a user receiving a code on his mobile phone after inputting his login and password on the website. The code is then entered on the site as a second authentication step.

Customer loyalty is an invaluable asset for a brand. By implementing proactive measures to protect against cyber risk, the risk of losing this asset will be minimized.

This article was first published by Hotel News Now, September 10, 2015.

Trends & Developments - March 2016

Contact EisnerAmper

If you have any questions, we'd like to hear from you.

Receive the latest business insights, analysis, and perspectives from EisnerAmper professionals.