BETHESDA, Md.–While the massive data breach at Marriott hotels exposed significant customer data, it may not be Social Security numbers and credit card information that the thieves find most valuable, according to security experts.
As CUToday.info reported here, hackers stole data from 500 million guests by breaching the Starwood Guest Rewards program. Marriott bought Starwood Hotels & Resorts Worldwide in 2016, which includes the Sheraton hotel brands.
What the hackers may find most valuable is the rewards themselves, the points earned by guests for their stays at hotels or for using partner companies. Loyalty rewards is a $238-billion industry, according to analysis by Bloomberg.
“It’s very easy for fraudsters to launder loyalty points,” said Michael Reitblat, chief executive officer of Forter, a company that helps retailers fight fraud, told Bloomberg. “More and more organizations are offering loyalty points because it does create repeat-buying habits, but when they’re exposed it becomes a massive liability.”
Marriott has confirmed the data breach includes passport numbers, travel histories, loyalty program accounts and encrypted credit card data.
What Really Sells
But, Bloomberg reported, while on the dark web a consumer’s Social Security number may sell for $1, loyalty-account information can fetch 20 times that, according to data from Experian Plc.
“After a fraudster gains access to a customer’s loyalty account, the easiest payoff comes from cashing in points or miles for gift cards or physical goods from the program’s shopping portal,” Bloomberg reported. “In some cases, points will be redeemed for hotel stays or flights, which are later canceled in exchange for a gift card. Unlike credit-card issuers, loyalty-program operators might not be obligated to make defrauded customers whole.”