Hilton boosts reward program security after hacker attack

Not content with lifting credit card information and disabling websites, hackers recently targeted the Hilton HHonors reward program, draining some accounts of their accumulated points.

According the The Register, Hilton responded to the hack by adding a CAPTCHA feature to its loyalty program site, designed to discourage automated programs accessing the site, which will also fight against programs designed to guess PIN codes. Beyond this, the company has yet to acknowledge the breach, though some customers reported being reimbursed their stolen credit.

Hilton’s loyalty program has as many as 38 million members.

Security expert Brian Krebs of Krebs On Security reported that the hackers were able to use over a quarter of a million points belonging to one customer before using his credit card to purchase more.

Krebs was able to uncover a number of online forums where hotel loyalty points were on sale for a fraction of their worth. An allotment of points worth $1,200 in hotel reservations could be acquired for approximately $12. The points are valuable currency for hackers, as they can be redeemed for items at Hilton’s shopping mall.

Breaches like this are becoming more common, and they shouldn’t be surprising. In late September, a study released by Deloitte found that 75 percent of frequent travelers expect their loyalty program data to be secured to at least the same standard as a financial institution – but only 33 percent feel their accounts are secure enough.

The study found that travel and hotel companies are asking for more personal data from customers than ever before, but are not matching these requests with equal security. The study also showed that any breach of loyalty data would have a significant impact on the brand involved, with 23 percent of survey respondents saying that, should a breach occur, they would be less likely to return to that company, while 15 percent said they felt “a lot less likely” to return.