photo courtesy Hilton Hotel

Hackers Seek Your Hilton Rewards
| published November 7, 2014 |

By Thursday Review staff

International hackers are no longer interested in only your cash or your credit, or, for that matter, other personal information like social security numbers or cell phone data.

Law enforcement officials and Hilton spokespersons have acknowledged that earlier this year unknown hackers gained access to the Hilton’s HHonors program—a system which rewards points to frequent travelers and guests of Hilton properties worldwide—and systematically drained the points from tens of thousands of individual accounts, shifting their value into other accounts set up by the criminals.

The problem was first noticed last month when hundreds, then thousands, of Hilton customers and related travel agents began to notice unusually large movements of points from accounts. The crime was executed fairly directly: hackers broke into the database, but also immediately changed the primary and secondary email accounts; then, the hackers requested a change of password be sent to the newly created email accounts. Within minutes, hackers could then drain the account of as many Hilton points as they desired.

Hilton has offered little in the way of public comment, but law enforcement officials are seeking to trace the thieves’ digital trail to determine who—or what group—was responsible for the theft. Along with the Hilton points, other personal data may have been stolen as well, though sources close to the investigation believe that the primary target of the attack was simply the large value of the points. The points can be easily sold through black market channels at a discounted price.

Some computer analysts and security experts suggest that such attacks may become much more common, as individual thieves and organized crime continue to seek innovative and profitable ways to steal cash—or cash value—without immediate detection.

Data breaches and security failures have become more commonplace and penetrative within the last 12 months. Retail giant Target has faced withering profit loss as a result of its massive data breach last fall, when hackers found a backdoor into Target’s credit card and debit card system. The thieves made off with the personal data and credit card information of some 70 million customers. Weeks later, the public learned of similar attacks on Michael’s and Nieman-Marcus. This year, hackers have stolen the credit card and debit card data from millions of Home Depot customers, and in August we learned that hackers may have launched an attack on millions of customer accounts at JP Morgan Chase, one of the largest banks in the U.S. Over the spring and summer, Chinese hackers may have been responsible for the theft of the medical and personal data of millions of patients of Community Health Systems, a huge company which owns or manages hospitals in the United States and Canada.

Computer and security analysts say that the Hilton program was vulnerable all along, and used a relatively weak system for resisting savvy attacks. Hilton’s system uses a weak password criteria and an easy-to-hack PIN process, and law enforcement officials suggest that the hackers saw an opportunity that was too tempting to resist.

Related Thursday Review articles:

Home Depot’s Data Breach: Worse Than We Thought; Thursday Review; September 23, 2014.

China’s Heartbleed Hospital Hack; Thursday Review staff; Thursday Review; August 21, 2014.

New Retail Cyber-Threat: Back-Off; Thursday Review staff; Thursday Review; August 2, 2014.