In an increasingly competitive business environment, businesses prize customer loyalty above all else. That makes their loyalty schemes an increasingly important part of strategic growth. Starbucks told investors last year that Starbucks Rewards members drove a record 53% of its Q3 2022 revenue in the US. But as firms hoover up more and more data on their customers, these accounts have become highly sought after by cybercriminals and fraudsters. Hilton Hotels and Air France-KLM are just the latest two big-name brands to have suffered a breach of their loyalty programs.
Organizations need to recognize this growing risk to their reputation and bottom line, and take steps to protect that data at the source through strong encryption or tokenization.
Why are hackers and fraudsters taking note?
The global loyalty program market was worth around $9bn back in 2021, but is projected to grow at a CAGR of 17% through 2027 to hit double-digits before long. It has become a staple of multiple industries, from hospitality and travel to retail, beauty and pharmaceuticals.
But with revenue and customers has inevitably come scrutiny from cybercriminals. Loyalty points and the personal data held in customer accounts have become a valuable commodity on underground sites. What are the main threats to organizations and their loyalty card customers?
Theft of personal customer information from accounts, which could include payment card data, logins, names, addresses and phone numbers. All of which could be sold on the dark web and/or used in follow-on phishing attacks designed to elicit more sensitive information for identity fraud.
Credential stuffing using logins stolen from loyalty card accounts. If the customer uses the same logins across other accounts, hackers can use automated tools to access these accounts. In just a year, one vendor found over four million stolen credentials related to airlines, travel and hospitality organizations.
Illegal use of points is on the rise. Loyalty points from hijacked accounts can be used by threat actors to purchase flights, hotels and other goodies, which are then sold on at a significantly marked-down price.
An extended supply chain of partners that might manage or interact with loyalty programs expands the attack surface. Some of these may have lower levels of baseline security, leading to cloud misconfigurations which can leak data.
Loyalty programs are an easy target because many organizations still under-estimate the level of fraudulent and hacking activity focused on this sector.
Counting the cost of breaches
Organizations might not have included their loyalty programs in cyber risk planning exercises, but they should. A serious breach could result in major financial and reputational costs, including:
- The cost of reimbursing customers in stolen points
- Lost customers
- Class action lawsuits following a large-scale breach of customers’ personal information
- The cost of breach investigation, remediation and notification
- Regulatory fines
- Derailing of digital transformation and loyalty initiatives
- Lost trust and damaged partner relationships
Protect the data first
All of which should make data-centric security a priority for loyalty programs. Data-centric security providers like comforte offer tools to:
- Automatically discover and classify your most sensitive data, including loyalty card data
- Continuously find data wherever it is located (on-premises and in the cloud)
- Apply strong protection (eg encryption, tokenization) direct to that data at rest, in motion and in use, in line with policy
No amount of perimeter security is going to be enough if hackers can slip by defenses using stolen employee credentials or exploiting zero-day vulnerabilities. Protecting the data wherever it goes means that even if it is stolen, it will be rendered useless to hackers and the fraudsters they try to sell to. That’s the way to mitigate compliance, financial and reputational risks stemming from loyalty programs – and preserve an important growth engine of the future.