Hackers face loyalty card treasure trove

Security experts have called for Australian organisations to update their security and privacy policies as they invite customers to access more loyalty card services online.

Loyalty programs run by the likes of Coles, Woolworths, FlyBuys and Qantas could be a treasure trove for cyber criminals looking to misuse personal details such as name, address, date of birth and transactional history.

Once upon a time, such customer data was held on big mainframes in locked rooms and only a few people had access.

But according to Paul Ducklin, head of technology at IT security firm Sophos, databases now were open to more users, due to the trend to allow access to loyalty programs online.

Ducklin said web access created better functionality for the user but was the equivalent to “taking a locked filing cabinet and connecting it to the web”, asserting that it was vital to ensure that strong locks were put in place and limit who was given a key.

But many companies had not updated their policies accordingly, he said, noting that several still allowed all authorised users to access the entire customer database.

A number of recent security breaches and investigations have highlighted the risk of security holes in online customer databases.

Vodafone Australia faced the ire of Australia’s Privacy Commissioner last year for allowing its entire customer database to be accessed from any computer using shared logins used by employees in a store.

Meanwhile, Sony's PlayStation Network fell victim to one of the biggest hacks of consumer data in history, with up to 77 million accounts potentially affected. Stolen data included names, billing and email addresses, birthdays and credit card details.

Identity, location and theft

Experts warned that loyalty card programs made particularly juicy targets because of the detailed transactional data involved.

“If the information is useful to loyalty programs, imagine how useful it would be for cyber crooks,” Sophos' Ducklin said.

“For example, a frequent flyer program might show that someone is always absent on Thursday or Friday nights or that they took a flight from Australia to the US a week ago and haven't returned yet, so it's a good time to send scams to chums.”

Sam Bryce-Johnson, technical manager at IT security firm Kaspersky Lab Australia & New Zealand, agreed that location information was a concern.

“Imagine a supermarket or petrol station loyalty card which logs the shops location,” he said.

“If a criminal was tracking this data, they could see when the victim is out of town, leaving them open to more traditional forms of theft.”

Identity theft presented another risk, with Bryce-Johnson noting that although each piece of information may not reveal too much on its own, a collection of data may be used to fraudulently obtain official documents.

Bryce-Johnson also highlighted the potential for stealing the loyalty points themselves and using them to purchase flights or consumer goods.

“Although loyalty card points are often not redeemable for money, they can be spent on both necessary and luxury goods. In some cases, this makes the points as valuable as money,” he said.

“Also, because individuals often don’t keep as close an eye on their loyalty points as they would their credit card statements, theft of loyalty points can remain undetected for a longer period of time.”

Australian privacy protections

Australian Privacy Commissioner Timothy Pilgrim noted that companies were "required to have a publicly available statement or privacy policy that tells people how they handle personal information" under Australian law.

“There are also rules about when businesses can share your personal information with others," he told iTnews.

"Importantly the Privacy Act also requires businesses to keep personal information safe and secure from unauthorised access, modification or disclosure and also against misuse and loss.”

But beyond the legal obligation to publish a privacy policy, there appeared to be a dearth of information to enable people make an informed decision.

Operators of Australia's largest loyalty card programs -- including Coles, FlyBuys and Qantas -- either declined or failed to respond to iTnews' questions on the topic over a three-week period.

A Woolworths spokesman stated: "Suffice to say, Woolworths have very strict parameters in place about how we protect our customers' information and we do not sell it to third parties."

Ducklin urged consumers to first think about whether it was worth giving their data away in the first place, then determine whether they could trust the organisation to protect their information.

The key question, he said, was whether the business limited the amount of information that could be accessed online and put stringent security controls around any information that was available.