Fraud Management & Cybercrime , Fraud Risk Management , Geo Focus: Asia

Loyalty Rewards Fraud Theft Hits 800 Qantas Flyers

Airport Contractors in India Used Ticket Booking Systems to Steal Loyalty Points
Loyalty Rewards Fraud Theft Hits 800 Qantas Flyers
A Qantas Boeing 737 airliner preparing to land at Brisbane Airport (Image: Shutterstock)

Two airport contractors in India used multiple airline ticketing systems to fraudulently access the account details of about 800 Qantas airline customers to steal loyalty reward points.

See Also: The Future of Cybersecurity in APJ

The Australian airline said the two third-party airport contractors exploited vulnerabilities in other airlines' travel systems to access Quantas customers' bookings and transfer accumulated reward points. Quantas said the insiders affected other airlines as well.

Qantas is Australia's largest airline company with more than 23,000 employees, flying more than 50 million passengers to over a hundred destinations each year with a fleet of about 125 planes. The airline said in an emailed statement shared with Information Security Media Group that the fraudulent activity occurred over several weeks and the company has been working with partner airlines to secure the exploited vulnerabilities.

"These vulnerabilities were never present in Qantas' 'Manage Your Booking' or Qantas Frequent Flyer systems," Qantas said.

"To ensure this doesn't happen again, partner airlines have restricted the ways frequent flyer details can be changed. For Qantas, this now means calling the contact center and verifying your identity. Since working with our partner airlines to secure their systems, we have seen no further unauthorized activity."

Loyalty fraud costs travel and hospitality companies over $1 billion annually, with fraudsters redeeming stolen points for free hotel stays, discounted flights, upgrades or other travel-related services, according to Transmit Security. Qantas said the contracted third-party company has suspended the two "rogue" employees and the matter has been referred to police in India.

"This was not a cyber hack or data theft, but a case of two rogue employees of one of our suppliers abusing their position to fraudulently steal frequent flyer points," a company spokesperson said. "The activity was stopped back in August with affected bookings remedied and points provided back to our members. We are not aware of any current bookings being impacted."

According to aviation news outlet AeroTime, the two employees worked at Air India SATS, which manages airport transfer and customer service counters and provides check-in, charter, VIP handling, cargo handling and assisted services in India. Known as AI SATS, the company was formed out of a joint venture between Air India and Singapore's SATS Limited.

A Qantas spokesperson told Information Security Media Group Thursday that the company did not share the identity of its third-party supplier in India, but said the investigation into the incident is ongoing.

An Air India spokesperson told Information Security Media Group that AI SATS is a separate corporate entity, and the airline is not involved in the investigation.

According to EY, the global loyalty management market is expected to cross $24 billion by 2029 and because loyalty program accounts are not monitored as carefully by companies and customers as other financial accounts, they serve as low hanging fruit for fraudsters looking to cash in on lax security.

"Despite fraud prevention measures being implemented, the problem persists as the safeguards put in place for these programs often do not match the level of rigor employed for primary financial systems," EY said, adding that loyalty fraud not only causes financial losses but also hurts customer trust and brand reputation.


About the Author

Jayant Chakravarti

Jayant Chakravarti

Senior Editor, APAC

Chakravarti covers cybersecurity developments in the Asia-Pacific region. He has been writing about technology since 2014, including for Ziff Davis.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing databreachtoday.in, you agree to our use of cookies.