Maximise your Avios, air miles and hotel points

What happens when your points are stolen?

Links on Head for Points may support the site by paying a commission.  See here for all partner links.

Over the last couple of months, a number of cases have been emerging on Flyertalk and elsewhere of people who have had their Priority Club points stolen. 

(Priority Club is the loyalty scheme for Holiday Inn, Crowne Plaza and InterContinental amongst other chains.)

For example, a quote from Facebook:

My husband and I have been loyal PC members for years, staying around 200 nights a year. On 9/11 my account was hacked and somebody changed my email address and purchased Amazon gift cards with 148,000 points! I have talked to customer service twice and sent one email and have yet to hear anything on this. Do you know how long it has taken me to save up those points?! Today I can’t even sign on to my account, it’s like it doesn’t exist. I’m getting concerned because I have a reservation tomorrow through the end of the week and don’t know what I’m going to find out when I check in.

What do you do when you wake up one day and find your points have been stolen?  Is it even a crime (the small print of most schemes says that points have no monetary value)?

Whilst this could happen with any programme, the Priority Club website does seem to be substantially weaker than others.  Here are a few key weaknesses:

  • Membership numbers are just 9 numbers long (or an email address) and password just consist of a four-digit PIN code
  • The site does not lock you out however many failed attempts you make at guessing the PIN
  • The programme offers a lot of e-voucher redemptions for retailers where you receive e-mailed gift codes in return for points
  • If you change your e-mail address on the site, there is no confirmatory e-mail sent to your old e-mail address

Amazingly, a hacker would not even need to know that someone was a Priority Club member in order to hack their account.  All they need is a computer running a script which drops a random e-mail address or random 9 digit membership number into and then tries all 9,999 PIN combinations.  It doesn’t take long.  If they had actual account numbers (easily obtained from anyone working in a PC property) then it would be even easier.

The thefts reported on Flyertalk are all from people with high balances (six figures) so it is possible that thieves are only targetting accounts with a lot in them, ignoring any others that the script programme throws up.

What is more worrying is the attitude of Priority Club to all this.  The de facto response to the reports of fraud is to accuse the customer of not telling the truth.  This is despite the fact that in all cases the e-mail address on the account was changed immediately before the account was emptied by way of e-mailed gift vouchers.  This is not a US issue, either, with a number of thefts affecting UK residents, including one Head for Points reader.

I can only hope that, in time, all of the people affected do have their points balances restored.  Unfortunately Priority Club is the worst hotel loyalty scheme by far for customer contact as anyone who has ever had an email exchange with their Philippines service centre will know.

What can you do to avoid this? Nothing, frankly, if the theft really is being done as described above.  A computer could pick your account number at random and then keep guessing PIN’s until it find the right one.

Using a service like AwardWallet to keep track of all your miles and points will at least help you spot any problems, especially if you update all your balances daily or let it e-mail you once a week with all your balance changes.  You do not have to hand over your password details to AwardWallet if you don’t want to – they can be stored locally on your PC if you prefer.

IHG One Rewards update – May 2024:

Get bonus points: IHG One Rewards is offering 2,000 bonus points for every two cash nights you stay (not necessarily consecutive) between 1st April and 31st May 2024. You can read our full article here and you can register here.

New to IHG One Rewards?  Read our overview of IHG One Rewards here and our article on points expiry rules here. Our article on ‘What are IHG One Rewards points worth?’ is here.

Buy points: If you need additional IHG One Rewards points, you can buy them here.

Want to earn more hotel points?  Click here to see our complete list of promotions from IHG and the other major hotel chains or use the ‘Hotel Offers’ link in the menu bar at the top of the page.

Comments (8)

This article is closed to new comments. Feel free to ask your question in the HfP forums.

  • xcalx says:

    I have just opened an Award Wallet account and the passwords are stored by them. What do others think about passwords, should I store locally on my PC only

    • Raffles says:

      I am happy to let AwardWallet hold my passwords – I value the ability to check balances across the many different PC’s and tablets I use in the average week. That said, if you always use the same computer then you have nothing to lose by taking the extra security gained by storing passwords locally (or indeed on Dropbox as UK1 says, which gives you some flexibility if you desperately need access when away from home).

  • uk1 says:

    It’s great you highlighted this issue. It hasn’t (yet) affected my account but the accouints posted by FT’ers about the ease with which the points were stolen and the complete lack of any attempt to stop the thefts by taking the most basic of steps is alarming. It is terrible that the continued stance by ICHG is that the accouint holders are the fraudsters themselves is unacceptable. Even the ICHG lurkers have been unacceptably quiet and absent on this topic. I hope ICHG take the rudimentary steps to stop accounts being plundered.

  • Andrew says:

    I suppose it couldn’t hurt to try and claim on insurance – they might pay up for a miles purchase, you even if it’s only some of the value.

  • Uk1 says:

    Your right. …. there isn’t the slightest chance that an insurance company would pay up particularly as ICHG would tell them adamantly that you took the points yourself. ICHG are well aware of the problem if you believe what their official lurker has said on FlyerTalk but they seem to believe that doing nothing is the right option.

  • Raffles says:

    One rather extreme suggestion on FT is to book a large number of dummy awards to take your balance down to almost zero. Any script opening your account will therefore see only a small balance and leave you alone. This is risky, though, if you forget to cancel a booking before the date comes round, as you will definitely lose your points this way!

  • Andrew says:

    Any lawyers on here care to comment on whether an affected individual would have a shot with tort law? Despite what their T&Cs say, as a man on the street I would think that their negligence has led to a damage.

  • Mr Bridge says:

    In the case detialed in raffles post, this is cyber crime, and most police forces have a dept to deal with this. If amazon gift codes were issued it should be possible for amazon to trace where any goods ordred by them were sent. Altough points may not get recovered, there may be enough for the police to track down the theif.

This article is closed to new comments. Feel free to ask your question in the HfP forums.

The UK's biggest frequent flyer website uses cookies, which you can block via your browser settings. Continuing implies your consent to this policy. Our privacy policy is here.