It's not just your credit card number that hackers want anymore. It's your points.
Marriott International's disclosure on Nov. 30 that it's investigating how hackers siphoned data about 500 million guests is the latest example of fraudsters targeting the $238 billion loyalty industry. Hackers have found it's increasingly easy to access rewards portals and quickly redeem consumers' hard-earned points and miles for gift cards or hotel stays.
"It's very easy for fraudsters to launder loyalty points," said Michael Reitblat, chief executive officer of Forter, a company that helps retailers fight fraud. "More and more organizations are offering loyalty points because it does create repeat-buying habits, but when they're exposed, it becomes a massive liability."
Marriott said that over four years, hackers accessed records on as many as 500 million Starwood hotel guests — data that included, in many cases, passport numbers, travel histories, loyalty program accounts and encrypted credit card data. Marriott bought Starwood Hotels & Resorts Worldwide in 2016 and completed the integration of the two companies earlier this year.
Marriott's shares slumped as much as 6.9% as regulators, investors and customers assessed the fallout from the hack.
Marriott joins the ranks of airlines and hotel chains, such as Hilton Worldwide Holdings and British Airways, that have had to deal with the fallout from data breaches of their loyalty programs.
In the U.S., consumers maintain 3.3 billion memberships in such programs, earning roughly $48 billion worth of points and miles each year, according to Chargebacks911, a risk mitigation firm that helps merchants handle fraud. About 72% of loyalty programs have experienced fraud.
The data associated with these programs has become increasingly valuable to criminals: On the dark web, a consumer's Social Security number often sells for $1, while loyalty-account information can fetch 20 times that, according to data from Experian.
Here's how it works: After a fraudster gains access to a customer's loyalty account, the easiest payoff comes from cashing in points or miles for gift cards or physical goods from the program's shopping portal. In some cases, points will be redeemed for hotel stays or flights, which are later canceled in exchange for a gift card. Unlike credit-card issuers, loyalty-program operators might not be obligated to make defrauded customers whole.
"With a credit-card number, there's a short window of time that a criminal can exercise using that card" before the person calls the issuer to get a replacement, Katherine Keefe, who leads breach response services at insurer Beazley, said. "So there's a really almost a limited amount of damage that can be done there."
Hotels, airlines and retailers often operate at a disadvantage when it comes to combating fraud because they want to make it easy for customers to redeem their rewards — meaning hackers can have an easier time accessing accounts too. Customers also check their loyalty accounts less frequently, meaning they're less likely to notice if their points are stolen.
"This is a brand-new area of concern," said Dave Andreadakis, chief strategy officer at Kobie Marketing, which helps retailers develop loyalty programs. "There's an increased sophistication and education amongst fraudsters that this is something that can be leveraged for fraud."
The rise in loyalty fraud has led to changes in insurance coverage. Some insurers have been adding coverage to help their corporate clients mitigate the financial pain caused by the loss of customers after a hack, according to Lindsey Nelson of CFC Underwriting.
"Where customers can be the largest asset of any organization in terms of its reward and loyalty programs, there can be a severe impact to future sales following the breach, which is something that's overlooked in cyber policies," said Ms. Nelson, CFC's international cyber team leader.
Protection for reputational loss doesn't come with every cyber policy, but more insurers have been offering it in recent years, said Robert Parisi, insurance brokerage Marsh's cyber product leader, who declined to comment on Marriott's situation in particular.