Should an airline reimburse your miles if you are hacked? Etihad Guest says no

A few weeks ago Rhys wrote an article on what happened when his British Airways Club account was hacked. Luckily, although not unexpectedly, British Airways reimbursed his stolen Avios.

It is getting more and more common for frequent flyer accounts to be the target of hacks.

This never used to be the case, so what has changed?

The answer should be obvious.

When the only redemption you can book is a flight, hacking a frequent flyer account is a waste of time.

The very best that a hacker can do is book themselves a flight. Unless they plan to travel immediately, the chance of getting away with the hack is very low. Even if they intend to fly a few hours later, there is still a real risk that the account holder notices.

Even if they hack isn’t noticed until after the flight, the airline will still have the passport details of the passenger and the payment card used to settle the taxes. It’s rarely worth the risk.

However ….

Over time, airline and hotel loyalty schemes started to add other redemption options. These were often pseudo-cash (such as Amazon e-vouchers) which suddenly made your mileage account a FAR more attractive hacking target.

Etihad Guest went even further. Via the Etihad Guest Reward Card, you can immediately turn your miles into cash, available to spend via a virtual Visa card added to your smartphone.

This makes Etihad Guest accounts particularly attractive to hackers.

If an airline makes itself a hacking target, shouldn’t they take responsibility?

A reader had his Etihad Guest account hacked recently. He got in touch with Etihad and received the email below in response.

What it says is:

• yes, we agree you were hacked
• tough luck, we’re not giving you your miles back

The small print (reproduced below) is interesting. Etihad Guest will consider giving back stolen miles UNLESS the account was accessed using your password (which will always be the case, surely?) If your password was used, you do not get your miles back back.

What is especially impressive about this response is that Etihad Guest knows where the stolen miles are.

Etihad Guest allows miles to be transferred to another account for a ‘fee’ of 10% of the balance. This is what happened here.

The hacker moved the balance (well, 90% of it less the 10% fee) to another account, presumably in a false name. From there they will presumably have created a virtual Visa card and headed down to their local shop.

If you have an Etihad Guest balance, make sure your password is secure and different from any other passwords you use.

Here’s Etihad’s response in full:

Dear XXXXXXXX

Thank you for contacting us. 

Upon reviewing our records, we can see that your account has been compromised. We suggest you create a new email address and we will update it to your profile to proceed with activation of your account.  

It is the guest’s responsibility to ensure that all their login credentials are kept secure.  

We strongly recommend regularly changing your passwords and ensure that the passwords are strong to prevent compromise.  

You can log into your Etihad Guest account regularly and keep track of all your transactions by checking the Activity History section.  

Please refer to the following terms and conditions:  

1.1.8 It is your responsibility to ensure that you take appropriate care of your Etihad Guest Card and your Etihad Guest Number (including login password credentials) to prevent unauthorized persons from accessing your Etihad Guest membership account.   

1.1.9 Etihad Guest assumes no responsibility for and is not liable for any unauthorized access by third parties to a member’s account and/or account information, including but not limited to any unauthorized award transaction made from the account, except as provided under applicable laws.

Etihad assumes no obligation to re-credit any unauthorized mileage withdrawal made by third parties. Etihad Guest reserves the right to review, in its sole discretion, requests for re-crediting unauthorized mileage withdrawals provided such request is made to Etihad Guest within three months of the unauthorized withdrawal.   

1.1.11 You should not disclose your password and login credentials to another person. Please make sure that your password is not written down and kept with your Etihad Guest Card. Etihad Guest is not responsible for stolen security credentials or passwords and will not re-credit miles for unauthorized redemptions using the guest’s security credentials or password.  

For more information about the terms and conditions, please click here.  

Recommendations:  

Change the password for your personal registered email address

Check if there have been any changes made to the recovery settings of your email address (such as a change of email or registered mobile number)

Due to the email address being compromised, you should change the passwords on all your online accounts

Change your Etihad Guest password

Kind Regards,  

Etihad Guest Team