What happened?

In October 2024, Marriott International reached a settlement with the Federal Trade Commission (FTC), agreeing to pay $52 million as well as to restore loyalty points stolen by cybercriminals from its Bonvoy program, which has over 200 million members.  The settlement arises from multiple high-profile data breaches, where sensitive customer information was compromised, affecting millions of guests.

Quick background

Shortly after Marriott’s acquisition of Starwood Hotels in 2016, a significant data breach exposed the information of approximately 383 million guests and was linked to a multi-year intrusion into Starwood’s systems, occurring between 2014 and 2018.  The compromised data included sensitive information such as passport numbers, payment details, personal identification data, and – you guessed it – loyalty points.  In addition, Marriott reported a separate breach in 2020 that affected 5 million guests, further amplifying concerns regarding the security of customer data.

How the recent decision impacts loyalty programs

The FTC’s decision reflects a growing recognition of the potential harm caused by data breaches, not just in terms of personal information loss but also regarding loyalty points – which have now been acknowledged as personal assets. 

  • Marking a change in federal agencies and regulators’ perspective: Acknowledging loyalty points as personal assets – and subsequently restoring loyalty points – signifies a shift in how federal agencies perceive the impact of losing loyalty points for consumers. 
  • Setting a new precedent: This settlement may set a precedent for future data breaches or cyber incidents in the travel industry, emphasizing the need for robust security solutions that prevent account takeover (ATO) and loyalty fraud.
  • Updating projected costs of an incident:  Breach risk analysis, which could often be calculated on a cost-per-record compromised basis, must now be updated to include the added cost of loyalty points restitution, which may be highly variable.

Since it is nearly impossible to distinguish between users whose accounts were compromised directly due to these breaches and those affected by classic credential stuffing or password guessing, all impacted users are likely to be compensated.

Why are loyalty programs a target?

Loyalty programs remain prime targets for adversaries due to the following factors: 

  • Liquidity: Loyalty points can be easily redeemed or transferred, making them an attractive target for fraudsters.
  • Anonymity: The ability to convert points into gift cards or transfer them to other loyalty programs enhances the appeal for bad actors.
  • Stored Information: Accounts often contain sensitive stored payment methods, sensitive travel documents, and personally identifiable information, increasing their value to attackers.

As organizations assess their risk exposure to automated ATO threats, they must expand their risk evaluations to align with the FTC’s new consumer protection standards. 

The inclusion of loyalty points restitution in this settlement signals that businesses in the travel sector may need to recalibrate their cybersecurity investments to address these evolving risks.

Consider U.S. airlines, for example, which often value their loyalty programs at over 20% of their total company worth.  With billions of dollars in unspent points and miles, the financial implications of restoring compromised loyalty points could be significant, often surpassing the direct penalties incurred from a breach.

What can you do to prevent loyalty fraud? 

To mitigate risk exposure, companies that have a loyalty program in place should employ the following strategies:

  1. Shift left in your security practices:
    • Proactively identify warning signs and implement security solutions that prevent fraud as far left as possible.  This approach allows organizations to stop fraud before it escalates, which also reduces fraud losses.
    • Automated requests are a core component of credential stuffing leading to account takeover, which means it is imperative to implement countermeasures designed to prevent unwanted automation.
  2. Educate and enable your customers:
    • Establish reasonable limits on large-scale point redemptions on young or long-dormant accounts. This helps to prevent large-scale point theft without disrupting the end-user experience. 
    • Provide multi-factor authentication (MFA) and resources to help customers understand the importance of strong, unique passwords.
  3. Collaborate with cybersecurity peers and experts:
    • Engage with industry peers to share challenges, information, and best practices.  Organizations like RH-ISAC, A-ISAC, and Loyalty Security Alliance (LSA) help facilitate information sharing and provide valuable resources.
    • Partnering with trusted cybersecurity firms can provide the specialized knowledge and solutions necessary to strengthen your defenses.

A wake-up call for loyalty program security

The Marriott/ FTC settlement serves as a wake-up call for organizations with loyalty programs within the travel, airline, and hospitality industries.  As regulatory bodies emphasize the restitution of loyalty points as a consumer protection measure, businesses must adapt their cybersecurity strategies accordingly. 

A common element in all loyalty fraud is automation.  Therefore, focusing on stopping the bots rather than merely looking for anomalous or fraudulent behavior after the fact is crucial.  By shifting left – focusing on prevention through the detection of automated attacks – teams can address vulnerabilities before they manifest into larger issues.  Prevention is inherently more effective than detection and remediation, allowing businesses to successfully defend against attacks at their inception.

By implementing these proactive steps to prevent loyalty fraud, companies can significantly reduce their risk exposure, safeguard customer data, and minimize financial impact.

Watch my recent webinar with Loyalty Security Alliance or contact us directly to learn more about how we can help stop automated attacks and online fraud.

Want to learn more?

  • Kasada’s Reflections on the Q3 2024 Forrester Wave™ – Bot Management Evaluation

    Kasada named a Strong Performer. Here are some of our own reflections having taken part in this evaluation.

  • Exposing the Credential Stuffing Ecosystem

    Through our infiltration of the credential stuffing ecosystem, we reveal how various individuals collaborate to execute attacks and expose vulnerabilities for profit.

Beat the bots without bothering your customers — see how.