Let's Talk

Why cybercriminals love brand loyalty programs?

Updated Thu, January 26, 2023 6:32 EST

Many branded companies, especially in the retail and hospitality sector, offer loyalty programs for their customers. These programs influence customers to frequently purchase from a particular brand by offering freebies, special discounts, or reward points. Loyalty program discounts can be pretty effective in certain purchases such as car rental, hotel bookings, or airfares. Equally rewarding are the reward points, which, when accumulated, can be redeemed for profitable bargains.

The USA alone has at least  3.8 billion reward memberships in loyalty programs for customers.  According to  Oracle, 72% of adults in the USA are associated with one or more brand loyalty programs. 

The idea behind loyalty programs

Companies and brands offer loyalty programs to face increasing competition, especially when everybody tries to get a slice in the market share.  Brand loyalty is fickle among consumers as they are more open to better products, services, and lower pricing.  Companies create loyalty programs to reduce customer attrition and at the same time get key customer information which helps them to mine the personal data and explore profitable partnerships. 

Today, vanilla selling is pass. Companies that offer reward or loyalty programs are the ones that are thriving. As retail is growing due to the burgeoning young population globally, consumers have more disposable income in hand. The loyalty trend has spread across many sectors such as airlines, hotels, gas stations, utilities, retail, pizza chains, to name a few. 

As loyalty programs continue to grow, there has also been an increase in fraudulent takeovers of these loyalty program accounts. So now companies are faced with two challenges. One is to retain their customers by offering loyalty and reward programs and at the same time protect those rewards and loyalty accounts from hacking and takeover by cybercriminals.

Cybercriminals are always one step ahead of others. Cybersecurity experts generally expect hackers to target large corporations and focus on their defense. The hackers then innovatively shift their targets to retail sectors such as loyalty programs. While online frauds have been increasing at 12% on a year-to-year basis, in 2019, loyalty program frauds increased by 89%.  And this is not going to come down any time soon. The pandemic-induced stay-at-home culture for customers has prompted most major brand retailers to shift to e-commerce. This has provided new opportunities for cybercriminals to disrupt services and steal data. Ransomware attacks have gone up by 148 %, and retailers must have their cyber defenses ready.

When one thinks of loyalty programs, hotel or airline offers come to mind. It is also seen that data breaches by hackers have been significantly travel-related.  The 2018 Marriot hotel chain hacking had millions of customer's credit cards and passport details were taken over by the attackers.   The dark web is known to have compromised many airline accounts.    

Modus operandi of attacks on loyalty programs

Exposed user’s credentials are attacked and put up for sale on the dark web.  Loyalty programs are attractive for hackers. They provide the PII (Personal identity information) and reward points, and loyalty discounts that can be used fraudulently. 

People generally secure their banking accounts with passwords as they feel that anyone accessing their account would mean monetary loss. In loyalty program accounts, they get careless while storing their passwords or PIN (Personal identification number). They feel that less value is associated with it. Many hackers attack loyalty program accounts because of customers' easier use of username and password combinations. People also tend to use the same or predictable passwords like date of birth in other online accounts.  Hackers who access even one set of data use permutation and combination to try them on loyalty program accounts. 

How to protect loyalty accounts?

One should avoid using the same password across multiple sites and accounts. Using different passwords for various accounts is recommended, and it should also be high on the difficulty parameters. Avoid using predictable passwords such as name, date of birth, or passport details as a password.    

One should also frequently change their passwords and monitor them using an identity theft protection product that is available. These tools help the user by providing alerts whenever a customer's username and password is found on the dark web prompting them to change the password to a safer one.

How can companies protect loyalty accounts? 

Companies offering loyalty programs can encourage customers to be security conscious. They can educate their customers on the dos and don'ts when using their loyalty program cards at POS (point of sale) and keep track of their reward points.   

Companies can have their screening programs and alert the customer whenever their account is compromised.  This will allow the customer to take proactive action before the points are fraudulently redeemed or there is any other damage like data theft. 

There is no one size fit all solution for brand loyalty programs to prevent cyber-attack. But they can take various measures to protect against attacks; otherwise, they can irreversibly suffer financial loss, customer attrition, and loss of brand reputation. Keeping customer's data safe and secure increases brand loyalty and also improves ROI. The majority of the customers do not mind paying more for secured products and services. However, for companies to stay one step ahead of cyber threats, they need to have a well-planned cybersecurity protocol in place. 

 Some keys steps companies can take to avoid cyber-attacks on their loyalty programs, specifically 

  • Improve the cybersecurity protocols of loyalty programs by offering customers to use strong passwords and multi-factor authentication. Also, they can prevent password breach by hackers or even suspicious activity by customers by closely monitoring loyalty program metrics.
  • Prevent employee threats by implementing role-based access control (RBAC) and constant monitoring of employee’s network activity for any signs of abuse.
  • Appoint third-party service providers for identity management access system for password management. The security platform gives complete visibility into employee password practices, enabling them to monitor password use, enforce password security policies, including strong passwords, two-factor authentication, role-based authentication access control, and other security policies. 


Customers have a good memory, and they do not hesitate to walk away from a brand if their security is compromised. With cyber-attacks becoming common and publicly known, consumers are hesitant to use brands that have been a victim before. Therefore, branded companies need to assess the risk continuously to their business and have a disaster recovery plan in place. 

Get the latest news, invites to events, and threat alerts

We’re remote friendly, with office in Miami: Miami

Get the latest news, invites to events, and threat alerts