The travel industry is the latest target for hackers, according to a security expert. In the past two months more than 20 travel-related websites have suffered data breaches - and it's because airline loyalty cards are proving particularly lucrative for cyber criminals, reports Tech World.
Last week United Airlines reported that three dozen of its MileagePlus loyalty card accounts were compromised using login credentials obtained from a third party. Around the same time 10,000 customer accounts at American Airlines were compromised, and two of those accounts were used to book free travel or an upgrade, according to an Associated Press report.
Neither incident was caused by a data breach, said the airlines; instead the usernames and passwords were obtained elsewhere.
According to Alex Holden, chief technology officer for Hold Security, which specialises in monitoring the illegal trade, data from travel websites is being sold on underground forums by cybercriminals. "Attacks against airline loyalty programmes are very common and profitable," he said.
Gaining control of a loyalty card account is almost as good as cash. If an account has tens of thousands of reward miles, the hacker can sell an airline ticket for cash and pay for it with stolen miles, Holden explained. The points or miles can also be used to access legitimate services such as Points.com, a service for managing multiple rewards programs. Via this service loyalty rewards can be exchanged, redeemed or used for gift cards - an easy way to turn the points into cash.
The business is so lucrative that Hold Security analysts have noticed travel-related login credentials circulating on lists sold by cybercriminals. In some cases, travel agencies themselves have been compromised.
Data from travel sites is now fetching about the same price among criminals as data stolen from dating and employment websites, which are highly sought after by criminals, says Holden. Other lucrative targets include job-seekers - whose information can be used in work-at-home scams.
Last year Hold Security uncovered a cache of 1.2 billion user names and passwords and half a billion email addresses stolen by a Russian-based gang nicknamed Cybervor. Among the websites targeted by the group was travel site Expedia.com, Southwest Airlines and several other airlines, said Holden. The group is sometimes hired by spammers to obtain email addresses from certain services, he said.