Cybercriminals leveraged stolen user names and passwords to access frequent flier accounts at both American Airlines and United Airlines in late December 2014, according to the Associated Press.
In both cases, the airlines themselves weren’t hacked — affected customers had reused their passwords on other sites that had been breached. Delta Air Lines experienced similar attempts to access accounts around the same time, but none were successful.
United Airlines notified affected customers in late December 2014, and American began notifying customers by email on January 12, 2015.
According to United Airlines spokesman Luke Punzenberger, the criminals booked trips or made mileage transactions on as many as three dozen United accounts, though Punzenberger said any stolen miles will be restored to those affected.
In American Airlines’ case, airline spokeswoman Martha Thomas told the AP that about 10,000 acounts were impacted, and in at least two cases, a free flight or upgrade was booked without the account holder’s knowledge.
“Although air miles and points can be used as a form of currency to purchase trips, hotel stays and other goods and services, they generally lack the security controls you would usually see with traditional forms of currency, such as with credit card transactions,” Westin said.
“The fact that these miles and points can be traded in underground markets in exchange for bitcoin or other forms of crypto currency — paired with the lax security to gain access to the accounts — creates a perfect opportunity for the enterprising hacker to generate income from their exploits,” he added.
Trey Ford, global security strategist at Rapid7, told eSecurity Planet by email that the airline breaches serve as a vivid reminder of the dangers of password reuse. “Reusing passwords is dangerous,” he said. “We’ve all been warned about the risks of using the same password for different websites, and yet we still do it.”
“Companies need to keep a close eye on successful login activity — where users are logging in from, how often, and what they are doing,” Ford added. “Most companies focus on help-desk call volume, as failed login attempts are reflected by password resets and phone calls — account access is a critical touch point for all users. Login success and failure are leading indicators that something is wrong.”
“Unlike credit card fraud monitoring, few companies are effectively monitoring login behavior for fraudulent access,” Ford said.