The Spokesman-Review Newspaper
The Spokesman-Review Newspaper The Spokesman-Review
Spokane, Washington  Est. May 19, 1883
Current Temperature
40°F
Current Conditions
Overcast clouds
View complete weather report

Color Scheme

Subscribe now

They were saving up Alaska Air miles. Then their accounts got drained

By Jessica Fu Seattle Times

On Nov. 1, Sabrina James was scrolling through her phone before bed when she got a strange email from Alaska Airlines.

A flight from Milan to Madrid had been booked using her miles. But the name on the ticket wasn’t her own. Besides, James had no plans to go to Madrid and she certainly wasn’t in Milan; she was at home on the other side of the world in Clovis, California, where it just dawned upon her that her miles had likely been stolen.

“My heart jumped,” she said in an interview on Monday.

James tried to log into her Alaska Airlines loyalty account, but her email and password didn’t work. After over an hour on hold with customer service, she learned that someone had entered her account, changed the email associated with it and used 7,500 miles to buy the Madrid flight.

James was a victim of loyalty fraud – a type of scam where someone takes over another person’s loyalty account and redeems the associated miles for flights or gift cards, usually to resell them.

Since the summer, a steady stream of Alaska Airlines customers have been hit, according to testimonies both posted on social media and shared with the Seattle Times. Victims report getting hundreds, if not thousands, of their miles fraudulently redeemed.

“These are proprietary currencies that across the board are worth billions of dollars,” said Gary Leff, a travel expert who specializes in airline loyalty programs. Thus, loyalty programs “are going to be a huge target for fraud.”

Fraud has dogged airline loyalty programs for years. The problem goes beyond Alaska Airlines: Customers have reported fraud for other U.S. airline loyalty programs this past year.

In July, Hong Kong carrier Cathay Pacific identified a mileage heist affecting 1,000 accounts. A few years prior, the Department of Justice charged six men with stealing millions of frequent flyer miles through hacking into loyalty accounts and redeeming them for flights.

The problem is on the rise: Travel companies report seeing an over 50% increase in account takeover attacks over the past 12 months, according to a business survey conducted by fraud prevention company Ravelin. Respondents also said that they expected the frequency of such attacks to continue to rise at approximately the same rate.

Airline programs are uniquely vulnerable to loyalty fraud. People collect points or miles because they’re valuable and treat them like money. Points might be as good as cash, but loyalty accounts themselves do not have the same security as bank accounts.

Even today, all it takes to log into the Alaska Airlines website is an email and a password, this reporter determined by signing out and back into her account.

This data can be easily obtained “through technology glitches, through outright fraud, through mistakes,” said Leff.

“We are aware of the issue involving fraudulent use of the loyalty program,” wrote an Alaska Airlines spokesperson in an email. “Addressing the fraud and safeguarding our guests’ hard-earned points is a priority for us. We have a dedicated IT security team hard at work on protecting our systems to ensure this does not happen to others. If a guest has reason to believe that they are the victim of a fraudulent scheme involving their Atmos Rewards account, we encourage them to contact our guest care team immediately so that we can solve the issue and make it right.”

Passwords often get leaked in data breaches and then sold on the darknet, for instance. People also frequently reuse passwords, leaving their accounts vulnerable to hacking.

“Virtually everyone has had compromised accounts of some kind,” Leff said.

For victims, fraudulent mileage redemptions are akin to stolen cash.

On July 2, Amol Koldhekar discovered that someone had redeemed 510,000 miles from his Alaska Airlines account for a pair of business-class tickets from New York City to Hangzhou, China, with a layover through Doha, Qatar. (Alaska Airlines’s loyalty program allows users to book international flights on partner airlines.)

By the time he caught the redemption, the flight was nine hours away from takeoff. He canceled it immediately and got his miles back.

“For me, the miles are a way to save money, but also to have experiences that I probably wouldn’t be able to pay for easily,” he said.

While airline miles don’t have a fixed value, customers can easily approximate their worth based on what they can be redeemed for, or what they cost to buy outright.

As of Tuesday, customers could buy 180,000 Alaska miles for $3,500. By that measure, Koldhekar’s miles would have been worth nearly $10,000.

Koldhekar believes Alaska Airlines needs to ramp up the security for its loyalty program. The company does not have two-factor authentication measures to verify account logins. It also doesn’t always send out alerts to account holders upon redemption.

Koldhekar said that he never got any notification from Alaska Airlines about the fraudulent mileage redemption. Instead, he had been tipped off by a check-in reminder sent by a third-party app he uses to track his points across accounts.

Eventually, Alaska Airlines offered him the option to lock his miles with a PIN number, adding an additional layer of protection to his account. But that would mean calling customer service and waiting on hold for an indeterminate amount of time for a human representative any time he wanted to redeem his points. Instead, he just changed his password.

Typically, airlines will eat the cost of stolen miles by refunding them to customers’ accounts.

Ben Guericke, of Bozeman, Mont., noticed in late summer that someone had used his Alaska Airlines account to redeem three flights, draining it of 80,000 miles.

Eventually, the company refunded the miles, but warned that it was a one-time courtesy.

“I’m happy I got my miles back,” he said. He’s surprised that Alaska Airlines’ website doesn’t have two-factor authentication in place, nor does it notify people when the contact information on their account changes. “Miles have monetary value and should be treated as such.”

Guericke is from Seattle and occasionally uses miles to fly home.

For James, her fraudulently redeemed miles are still missing, weeks after she flagged the issue.

Until recently, Alaska Airlines had been her favorite airline, and she’s a devoted user of the company’s Visa card, recently rebranded as Atmos Rewards. Every year, she flies the carrier to visit Seattle with her family. The stolen miles are worth a round-trip flight to the city.

James’s Alaska Airlines account is filled with private information about herself, family members and even friends, for whom she occasionally buys tickets. For a moment, all their addresses, passport details, payment methods and past trips were potentially exposed to strangers online.

“This isn’t just about the miles,” she said. “This is about the security of everything that was in there.”

She wrote to Alaska Airlines, including the company’s CEO, expressing her disappointment in the security breach. She’s still waiting on a response.