The Challenge of Protecting Hotel Loyalty Programs

Hotel loyalty programs are hugely important to the hotel companies; this should be evident to hotel guests by the persistent efforts to get people to sign up for the programs; the hotel reception staff are incentivised to sign up new members, a potential fraud issue in of itself. Loyalty programs are increasingly being targeted by serious and organised crime; why?

Loyalty programs hold huge quantities of personal information and the monetary value of loyalty points in circulation amount to many 100s of million dollars, if not billions collectively.

In this blog, we will consider why criminals are targeting hotel loyalty programs, and others, and the challenges that hotel companies face in managing this threat.

Loyalty programs are vital to many larger hotel companies because loyalty members can contribute in the region of 40% revenue. This is important to underpin annual revenues but also it is an important tool to demonstrate the strength of the brands and consequently is ‘bait’ to tempt prospective hotel owners to sign up with one company or another. Therefore, hotel companies are so keen to advertise and make claims of huge membership numbers. This advertises their programs as great targets for criminals. The size of the membership, and companies thirst for new members, make it easy for criminals to hide within the program through the establishment of bogus accounts to exploit the program. The number of bogus accounts could run to 10-15%, potentially higher, of registered membership.


All hotel loyalty programs are based around the earning of points. Each point has a monetary value which may only be a percentage of a cent but multiplied by the amount points held by 100s of million members, the potential value is staggering. The advantage is that unlike cash, points are untraceable. There is also a method of laundering points if a criminal was concerned but I will not go into this here. Therefore, loyalty programs make excellent vehicles for serious and organised crime to launder money, particularly when a program has a point buying scheme.

The hotel companies might claim that limits on points buying per account restricts this, however, there are methods to circumvent this control. Furthermore, to make their programs as attractive as possible to members, and potential members’, they search for increasing options for members to ‘cash out’ their points beyond buying hotel stays. Most hotel loyalty points can be ‘spent’ for instance on flights or gift cards both highly ‘sellable’ commodities. However, what is good for the member is good for the criminals giving them cash out options to buy attractive commodities to sell to convert points into cash.

Whilst loss of points might be a concern to hotel companies, although the money running the programs is often owner money, not company money, they often overlook or ignore the potential impact of funds extracted from their loyalty programs being used for activities that breach various US and international laws. laws.


From an impact perspective, a more serious concern for hotel loyalty programs is the potential for the loss/theft of member personal data, even the ‘thinnest’ member profile will contain data that potentially reportable under Data Protection Laws and Regulation. To be able to tailor hotel services to members, increasingly personalised services, loyalty programs are collecting detailed and bespoke membership data. Such data is also used in marketing to members.

The collection of increasingly granular data increases the value of the data to criminals for direct exploitation of the member or to add to a profile for use in subsequent more complex exploitation.

Hotel companies face a real dilemma in protecting member data; on one hand, they need to make access to accounts as easy as possible for members so not to ‘scare’ them off and on the other they need to make access difficult for criminals to access – a difficult challenge.

Another loyalty program data protection challenge is that the cyber footprint and complexity for loyalty systems and networks is huge with the system connected to all hotels, reservation facilities, ‘cash out’ providers and beyond. Loyalty systems have been particularly vulnerable to increasingly complex, and not so complex, bots that are used to set up bogus accounts, harvest data and steal points. Bot attacks have overwhelmed loyalty system defences and whilst primary impacts are managed to a greater or lesser degree, no one could perhaps credibly claim that know or understand ‘what lurks beneath’.


The cybercrime challenges to loyalty programs are self-evident, sometimes organisational issues undermine defensive efforts. Who is accountable for securing hotel loyalty programs? IT Security? Loyalty Program Owners? System Fund Managers? Sales?. Here is the major challenge, often multiple stakeholders have different perspectives, objectives and culture; defining ultimate accountability is usually a challenge and therefore program defence planning and resourcing are dissipated across teams, who sometimes are at cross purposes and have competing spending priorities. This stacked up against a foe who has a unity of purpose, intellectual firepower and have near-limitless resources.

Hotel companies need to refocus on their loyalty programs for they are a strategic business enabler, which everybody likes to think about and celebrate, but are also a potential strategic vulnerability that could strike to the core of the business.

Leave a comment