Everyone loves loyalty points. They can save you money in the long run when collected responsibly. They also require virtually no effort to collect or use. But, like many things that rely on tech platforms to function, loyalty points are also vulnerable to cybersecurity risks — and so are their users.
Most loyalty programs are at risk to be targeted by criminals — if only because they don’t have as many security features as they should, according to a new report by London-based consulting firm Aon. The report, a cybersecurity forecast for 2018, notes that more companies are wiring their products to the internet. As the bulk of connected devices continues to expand, so has the “attack surface” — or environments that could potentially be compromised, or attacked — for cybercriminals.
In the case of loyalty points, what exactly criminals will be after is still up for debate.
They could be looking for the confidential information of customers or after the points themselves, said Brian Rosenbaum, national director of the legal and research practice at Aon Risk Solutions, in an interview with CTV News on Tuesday.
In both cases, most retailers would be covered by either a commercial crime or cybersecurity insurance policy. But retailers should also be taking precautions so that cyberattacks aren’t successful in the first place.
The Aon report predicts that bug bounties — compensation offered by software developers to anyone who locates and reports bugs in their programs — will be adopted by many companies that offer loyalty programs in 2018, including airlines, retailers, and hospitality providers.
“The swift, public, and pervasive cyber attacks in 2017 demonstrated how cyber risk cannot be effectively managed solely as an information technology (IT) issue,” said the report, citing the Equifax and WannaCry breaches — two major security hacks that happened in 2017.
The report added, “Companies’ increasing reliance on technology, regulators’ focus on protecting consumer data, and the value of non-physical assets are causing a convergence of cyber exposures that will require security to be integrated into both business culture and risk management frameworks.”