Loyalty Programs and Their Hidden Cyber Risks

Best Practices Series

Loyalty programs are everywhere, offering points, perks, or discounts in exchange for something more valuable than most realize: your personal data.

According to a 2021 Harvard Business Review article, customer loyalty programs account for over 3.3 billion memberships in the United States alone. With numbers this high, loyalty programs become more than just a marketing strategy, they become a cybersecurity concern.

At Surefox, we believe in educating our clients and readers on emerging vulnerabilities. In this post, we’re breaking down the residual cyber risks associated with loyalty programs and offering best practices to minimize your exposure.

What Are the Risks?

Data Collection

Loyalty programs often ask for phone numbers, email addresses, home addresses, purchase history, and even behavioral tracking data in exchange for benefits. This information is often sold to third-party marketers or used to fuel ad targeting strategies. Sites may also use tracking pixels to follow your digital activity, compiling a detailed profile that can be used—or misused—without your knowledge.

Data Breaches

When you provide data to loyalty programs, it must be stored—and that makes it vulnerable. Breaches involving email addresses, phone numbers, and purchase history can provide bad actors with enough information to create highly targeted social engineering campaigns. In some cases, access to your home address could even lead to physical security risks.

Data Compromise

Even without a major breach, compromised apps, websites, or loyalty cards can put your personal information at risk. Login credentials, credit card data, and even social security numbers may be stored on these platforms. If a loyalty reward number is used as an identifier or verification method, it can easily become a point of attack.

Notable Loyalty Program Breaches

2014: The Hilton Honors program was compromised, allowing unauthorized purchases due to stored credit card data.

2018: Panera Bread saw 37 million accounts compromised. That same year, Dunkin Donuts DD Perk was attacked, exposing account details and reward QR codes.

2021: SITA, a major air travel IT provider, was breached, affecting millions of users and compromising data like frequent flier status.

2023: ChatGPT Plus suffered a data breach during a March 20 outage, exposing payment and personal data of 1.2% of users active during a specific window.

For the 12th year in a row, the United States leads the world in the cost of data breaches.

How to Minimize Your Risks

Limit the Data You Provide

Use a dedicated email or VoIP number like Google Voice when signing up for loyalty programs. Avoid using your personal information if possible.

Use Unique & Strong Passwords

Don’t recycle usernames or passwords. Each loyalty program account should be unique to prevent a breach from affecting multiple platforms.

Keep Software Up To Date

Enable automatic updates for your devices and apps to ensure you’re protected against known vulnerabilities.

Use Multi-Factor Authentication (MFA)

Wherever possible, enable MFA using options like Google Authenticator, YubiKey, or SMS alerts alongside strong passwords.

Use Anti-Virus & Malware Protection

Ensure your devices are protected with current anti-virus software and enable automatic scans and updates.

Ask to Remove Your Data

If you no longer use a loyalty program, request that your personal data be permanently deleted from their systems.

Did You Know?

Surefox specializes in risk and vulnerability assessments, working closely with clients to develop tailored risk mitigation strategies.

Let us help you stay secure, because loyalty shouldn’t come at the cost of your privacy.

Learn how Surefox helps clients navigate digital vulnerabilities. Reach out to our team at ask@surefox.com.

Safely Forward.