Data Security is a Huge Gap in Frequent Flyer Programs. But Not One Members Actually Care About.

Deloitte Consulting released a new study today (.pdf) suggesting that travelers do not trust the data security policies and practices of loyalty programs.

My take:

  • Deloitte wants to convince loyalty programs to hire them to bolster their privacy and data security.
  • They’d also love it if media picked this up and created pressure for companies to address an issue that Deloitte is ready to sell them a solution for.

Deloitte finds that:

  • 75% of people expect their frequent traveler accounts to offer financial institution-grade security.
  • Only 1/3rd are satisfied with the security of their accounts.


Net net, loyalty program members don’t actually care about this or at least continue to behave as though they are comfortable.

Loyalty programs continue to grow their membership. Here’s data on American, for instance.

In fact, with the US Airways merger American will have 100 million members. United MilgeagePlus is around 80 to 90 million, and Delta Skymiles 70 to 80 million. Those are some large member files. Who exactly are all of the people refusing to participate in these programs over fear of data security exactly?

Meanwhile, the study also suggests that only 20% of people consider themselves knowledgeable about the loyalty policies of their loyalty programs. They don’t even care enough to pay attention to this!

I’m not saying programs shouldn’t worry about data security. They should. A breach is terrible PR, and brings the risk of reduced member trust and engagement. But to suggest members are wary and shying away, so merely investing in this area will drive greater business, seems overly simplistic at best (and likely self-serving on the part of Deloitte).

About Gary Leff

Gary Leff is one of the foremost experts in the field of miles, points, and frequent business travel - a topic he has covered since 2002. Co-founder of frequent flyer community, emcee of the Freddie Awards, and named one of the "World's Top Travel Experts" by Conde' Nast Traveler (2010-Present) Gary has been a guest on most major news media, profiled in several top print publications, and published broadly on the topic of consumer loyalty. More About Gary »

More articles by Gary Leff »


  1. I have some concern of frequent flyer data security, but it’s no worse than any other major company which I shop with or work with.

    I do have concerns about some other account management tools (like awardwallet). I only have their word that they are keeping my actual account credentials safe, but I wasn’t really able to find anything that stated how they were protecting my data.

  2. Hi Gary,

    There are two separate issues for loyalty program security. One is customers don’t treat their loyalty accounts as securely as they would bank accounts. For instance, you might be afraid to log into a bank account from hotel wi-fi. However, you might log into a frequent flyer account for upgrading, booking, etc. This is not secure. Fraudsters set up fake wi-fi networks in hotels, coffee shops, etc. And they will steal loyalty account information to book flights or obtain merchandise from loyalty redemption malls.

    And if the customer who loses his/her miles or points is important enough, I am sure the loyalty program will replace those miles/points at a loss.

    This is happening more and more because anti-fraud measures put in place for credit card purchases online are quite sophisticated, making stealing miles/points (and then being able to use them) an easier target for fraudsters.

    The other issues is security at the programs themselves. If an airline loyalty program system, with its tens of millions of members, is hacked, including credit card details of members, this could be a real mess for the airline. Banks, Hotels and major retailers have already been hacked and it hurt the bottom-line. But, airlines have smaller profit margins than most companies in these sectors, so it could be disastrous for an airline.

    Hackers, especially Russians and Chinese, attack major companies globally and big loyalty program database are certainly interesting to them.

    So, while I am sure Deloitte is trying to draw attention to this issue to win business, loyalty program security is a real and growing threat for both consumers and programs.

    Best Regards,

  3. My travel accounts have ID & passwords. There is at least one layer of security.

    However, if someone has my confirmation number and full name, they can go to the website to look at my itinerary and do many things, including canceling my flight or requesting a non-free change. I don’t think my confirmation number needs to be a guarded secret like my SSN, so a bit of added security would be appreciated.

  4. Deloitte may want that business (and already has some of it), but a lot of these types of programs will get law firms who practice security & privacy into the org. (vs. big consulting firms).

Leave a Reply

Your email address will not be published. Required fields are marked *