Newest Target for Data Thieves: Your Hilton HHonors Points

Earns Hilton Hotels
Reed Saxon/AP
The Hilton HHonors program was attacked by hackers who drained some accounts of their accumulated points, Brian Krebs, a leading authority on data theft, reported this week.

Hilton has not commented on the reported theft, but loyalty point forums have had some chatter about users losing points over the past few weeks. Krebs said that some consumers have reported finding a list of hotel stays in their accounts using up all their points. The chain has recently added CAPTCHA, an account feature designed to avoid automated use of the site, including programs that try to guess PINs.

Hilton has one of the largest loyalty programs, claiming some 38 million members.

One Victim Lost 250,000 Points

One victim told Krebs that the thieves used more than 250,000 Hilton points he had accumulated and began buying more points with a credit card associated with the account. "They got into the account and of course the first thing they did was change my primary and secondary email accounts, so that neither me nor my travel agent were getting notifications about new travel bookings," Brendan Brothers, co-founder of a Canadian software security company, told Krebs.

Stolen points can also be sold. Krebs noted the same number of points were used to make $1,200 in room bookings used from Brothers' account would sell on the black market for about $12.

Attacks on loyalty programs are another twist on data theft. The world's data thieves are perpetually on the hunt for your personal and financial information from businesses of all sorts -- Target (TGT), Home Depot (HD), Sony (SNE), eBay (EBAY). And three years ago, they busted into the data banks of loyalty program marketing company Epsilon to get another mega-dose of consumer info.

"The system was vulnerable, someone took advantage of it and they got through, especially given the ease with which hackers can use brute force computing to crack simple passwords and four-digit PINS," said Kristian Gjerding, CEO of CellPoint Mobile, a technology firm specializing in data security and digital transaction management. "This is just the beginning, a prime example of where loyalty fraud is headed. We're going to see more and more of this."
Read Full Story