Loyalty Programs and Privacy Risks

Who doesn’t love free stuff? And who doesn’t want to be rewarded for spending money? Gas, groceries, airline miles, lattes, and luxury goods – everyone is offering loyalty programs, and most people don’t think twice about signing up for them. On the surface, it seems like a win-win for both parties. The company gets repeat customers for a low retention cost, and the customer gets freebies, discounts, and giveaways. But is there a hidden cost to the customer? How much are your privacy and personal information worth? In recent years, loyalty card and reward apps have become high-value targets for identity thieves and cybercriminals. Many of these loyalty programs collect your personal data, requiring your name, date of birth, address, and email as part of their sign-up process. While you think you’re providing this personal data to the large, secure company you trusted with your initial purchase, many retailers actually outsource the management of these programs to third-party companies. As a result, your personal information is often stored in less secure databases susceptible to breaches. Rewards cards not only have your name, address, and phone number but are often linked to credit card information. If a bad actor has access to this combination of data, it can make you an easy target for identity theft and financial fraud.  

• For example, in 2021, a security breach at the airline technology company SITA compromised over 1.8 million members of two major airline loyalty programs.  
• Similarly, after a 2014 hack of the Hilton Honors program, one member’s account was used to pay for six hotel stays at Hilton properties. The corporate credit card associated with the account was then used to buy more reward points for the hacker.

Your email address is a valuable commodity in the world of digital marketing, particularly when it is tied to information about your purchasing habits and product preferences. Loyalty programs often sell your personal information to other companies, which then target your email and home address with advertising and spam. Not only does this fill your inbox with junk mail, but it also significantly increases the risk that your personal information will be compromised. Don’t want to give up the spoils of smart spending? That’s OK – there are ways to keep yourself safer and still earn rewards:

1. Never include your Social Security number on a loyalty program application. If a driver’s license number is requested, leave that space blank. Most programs will approve you without your license information.
2. Consider creating an email address just for loyalty programs and other commercially related correspondence, such as discounts, newsletters, and other email marketing campaigns.
3. If the loyalty program or app requires a password, create a unique password. Do not use the same password across multiple accounts. You should practice this important security measure across all your accounts and passwords. If you repeat passwords, it takes only one breach to give cybercriminals the ability to hack into your other accounts with the same password.  
4. Many loyalty programs utilize an app. Before downloading it, ensure it is the correct app – there are fake apps designed with the same look and feel as the real app used to hack your personal information. Not all apps need access to your contacts, location, photos, and microphone. Limit the permissions for any loyalty app you add to your phone, granting it only the access it needs to perform its primary function.