Travel-related websites have been hit hard with data breaches over the past few months, with hackers infiltrating more than 20 sites. Two of them were United Airlines and American Airlines, TechWorld reports, and it’s not necessarily your personal information the hackers are after. These guys want your miles. 

Miles Good as Cash 

Gaining access to airline reward and loyalty cards is nearly as good as cold, hard cash, according to online security expert Alex Holden. He says criminals can use stolen reward points to buy airline tickets, and then sell those tickets for cash. They can also exchange stolen miles at sites like, where they can redeem them or use them to buy gift cards. 

The United Airline breach involved 36 MileagePlus loyalty card accounts, where hackers gained entrance by reusing login information they found elsewhere. The American Airlines attack involved 10,000 passenger accounts, two of which were used to schedule free travel or a travel upgrade. Both airlines said the usernames and passwords were not obtained through the company sites, but rather from other sources. 

Holden doubles as CTO of Hold Security, a firm that monitors illegal trade and alerts companies if their data is discovered. His company regularly spots lists containing travel-related login information for sale. Other means of obtaining travel-related information is by hacking into travel agencies. 

Holden and crew can frequently determine where the information came from based on website structures, file names and types of data in the stolen databases. In other cases, hackers blatantly advertise where they obtained the list to make their sales pitch more lucrative. 

Travel-related information has already become fairly lucrative, now demanding the same price range formerly reserved for information from dating and employment websites. Criminals are hot for dating site information to send spam selling products like Viagra. Employment site information can be useful for launching job-related spam, such as work-at-home scams. 

Cyber Gang 

One of the biggest thefts Holden and crew uncovered was by a gang out of Russia. Nicknamed “Cybervor,” the gang got its hands on a database packed with 1.2 billion usernames and passwords along with 500 million email addresses. More than 420,000 travel industry websites were affected, including Southwest Airlines, and Expedia.

Keep your travel expenses secure – and easily managed – with the best expense report software.

Have you addressed potential corporate travel security breaches? Share your best practices with us.


Comments are moderated so they may not appear immediately on the site.
EXPENSE Buyer’s Guide - Everything you need to know.

EXPENSE Buyer’s Guide

Everything you need to know.

Download PDF