We recently read a heartbreaking story about an American Airlines frequent flyer named Jill Frankfort.
She spent years saving up more than 150,000 AA frequent flyer miles with plans for a major trip with her husband.
Consumer advocacy blog Elliot.org explains what happened when she went to book the trip:
“I logged into my American Airlines account,” Frankfort remembers. “Suddenly, I discovered transactions for tickets that I did not authorize.”
All of Frankfort’s American Airlines miles were gone. She studied the information. One transaction had resulted in most of the lost miles. A couple, their names listed in her account, had flown from New Delhi, India, to Doha, Qatar, in business class."
It's hard to know if these were the hackers themselves or someone who bought the stolen miles on the cheap. But we do know cybercriminals sell stolen miles and points on the Dark Web, which is a hotbed for cybercrime of all types.
As soon as our SecureWorld team read this story, it reminded us of our recent interview with Trend Micro senior researcher Mayra Rosario Fuentes who studies Dark Web markets, including those in the region where the hacked AA miles were used.
Cybercriminals travel on the cheap through what they advertise on crime forums as "discount travel."
"... cybercriminals run this business by offering services paid for using stolen credit cards and hacked loyalty program accounts... Most of the travel discounts offered are for flights and hotels starting at 30% off the original price."
So what happened to Jill Frankfort's AA miles in the end? Did she get them back?
AA refunded just 25,000 miles, as a gesture. The airline essentially said the miles had been drained too long ago to be recovered, so be sure to check your account at least every month and report anything unusual.
Her lesson should be a warning to the rest of us: Make sure your hotel points and frequent flyer accounts have strong passwords, and use different passwords for each online account you have.
Otherwise, the big trip you've been saving for—for years—could be taken by someone else.
[Web conference on demand: Business Email Compromise Scams: Don't Be the Next Victim]