July 23, 2015 By Rick M Robinson 2 min read

Loyalty or rewards programs are a popular marketing tool, and for good reason. For businesses, they offer an opportunity to lock in customers in a positive way; for consumers, they provide ways to earn deals or freebies, such as frequent flier miles. This makes a loyalty program a win-win for everyone involved.

Unfortunately, all too often, firms and their customers are not the only winners: Cybercriminals also find these programs attractive. If they can illegally garner reward points intended for loyal customers, they can sell these prizes on the black market. What’s more, security flaws in loyalty programs may compromise customers’ personal data, including their private financial information — the ultimate pay dirt for professional cyberthieves.

Fortunately for enterprises and their customers, security measures are available to ensure that a loyalty program rewards only loyal customers, not those out to abuse the system.

The Growing Challenge of Loyalty Program Abuse

Two recent security breach incidents underline the potential risks in these programs. LoyaltyLobby reported that security researchers discovered the Hilton HHonors program was vulnerable to an attack technique known as cross-site request forgery (CSRF). By exploiting this vulnerability, anyone with a Hilton HHonors account could hijack another customer’s profile simply by knowing the account number. Not only could attackers steal rewards points, they could obtain personal information, including partial credit card numbers.

British Airways and its most loyal customers were victims of another recent security breach, according to The Guardian. Automated hacking software, deployed by unidentified cybercriminals, compromised thousands of frequent flier rewards accounts. No personal information was exposed, but the airline was forced to freeze accounts while the breach was cleaned up — leaving top executive-club flyers unable to use their points in the meantime.

Safeguarding the Enterprise and Its Customers

Concerns about providing personal information threaten to erode consumers’ willingness to participate in loyalty programs, according to TechnologyAdvice. So how can firms protect themselves and their most loyal customers against security risks?

The threats to these programs are not specific to the particular technologies they utilize, but rather are characteristic of a broad range of security threats. Customer data may be compromised by company insiders, unscrupulous customers or professional cybercriminals. Basic security precautions such as the encryption of data at all stages, both in motion and at rest, will help minimize the risk of a breach.

But enterprises must also be proactive in responding to breaches when and if they occur. In today’s information security world, firms must assume that they have already been hacked — and they have to be ready to manage the consequences. This can mean the difference between losing and keeping business. For example, one retail firm, Buffer, gained plaudits for its swift response to a data breach, explaining what had happened, what it meant and telling its customers how to protect themselves in a timely manner.

Being Proactive in the Security Fight

Reaching out to loyal customers proactively can also be the key to implementing other basic security precautions such as strong passwords. Passwords are frustrating. But the more that customers understand that passwords exist for their own protection, the more willing they will be to put up with minor inconvenience.

By taking affirmative steps to undergird the security of their loyalty program, retail enterprises will be able to continue using this powerful tool to keep their best customers coming back for more.

More from Retail

5 ways to improve holiday retail and wholesale cybersecurity

4 min read - It’s the most wonderful time of the year for retailers and wholesalers since the holidays help boost year-end profits. The National Retail Federation (NRF) predicts 2022 holiday sales will come in 6% to 8% higher than in 2021. But rising profits that come at the cost of reduced cybersecurity can cost companies in the long run when you consider the rising size and costs of data breaches. The risk of data breaches and other cyber crimes can make this shopping…

Cost of a data breach: Retail costs, risks and prevention strategies

3 min read - Whether it’s online or brick-and-mortar, every new store or website represents a new potential entry point for threat actors. With access to more personally identifiable information (PII) of customers than most industries, bad actors perceive retail as a great way to cash in on their attacks. Plus, attackers can duplicate attack methods more easily since retailers share similar cybersecurity infrastructure. The good news for retail is that the cost of a data breach in the sector remains low compared to…

Lessons learned by 2022 cyberattacks: X-Force Threat Intelligence Report

3 min read - Every year, the IBM Security X-Force team of cybersecurity experts mines billions of data points to reveal today’s most urgent security statistics and trends. This year’s X-Force Threat Intelligence Index 2022 digs into attack types, infection vectors, top threat actors, malware trends and industry-specific insights. This year, a new industry took the infamous top spot: manufacturing. For the first time in over five years, finance and insurance were not the top-attacked industries in 2021, as manufacturing overtook them by a…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today