Maximise your Avios, air miles and hotel points

Should an airline reimburse your miles if you are hacked? Etihad Guest says no

Links on Head for Points may support the site by paying a commission.  See here for all partner links.

A few weeks ago Rhys wrote an article on what happened when his British Airways Club account was hacked. Luckily, although not unexpectedly, British Airways reimbursed his stolen Avios.

It is getting more and more common for frequent flyer accounts to be the target of hacks.

This never used to be the case, so what has changed?

Etihad account hacked

The answer should be obvious.

When the only redemption you can book is a flight, hacking a frequent flyer account is a waste of time.

The very best that a hacker can do is book themselves a flight. Unless they plan to travel immediately, the chance of getting away with the hack is very low. Even if they intend to fly a few hours later, there is still a real risk that the account holder notices.

Even if they hack isn’t noticed until after the flight, the airline will still have the passport details of the passenger and the payment card used to settle the taxes. It’s rarely worth the risk.

However ….

Over time, airline and hotel loyalty schemes started to add other redemption options. These were often pseudo-cash (such as Amazon e-vouchers) which suddenly made your mileage account a FAR more attractive hacking target.

Etihad Guest went even further. Via the Etihad Guest Reward Card, you can immediately turn your miles into cash, available to spend via a virtual Visa card added to your smartphone.

This makes Etihad Guest accounts particularly attractive to hackers.

If an airline makes itself a hacking target, shouldn’t they take responsibility?

A reader had his Etihad Guest account hacked recently. He got in touch with Etihad and received the email below in response.

What it says is:

  • yes, we agree you were hacked
  • tough luck, we’re not giving you your miles back

The small print (reproduced below) is interesting. Etihad Guest will consider giving back stolen miles UNLESS the account was accessed using your password (which will always be the case, surely?) If your password was used, you do not get your miles back back.

What is especially impressive about this response is that Etihad Guest knows where the stolen miles are.

Etihad Guest account hacked

Etihad Guest allows miles to be transferred to another account for a ‘fee’ of 10% of the balance. This is what happened here.

The hacker moved the balance (well, 90% of it less the 10% fee) to another account, presumably in a false name. From there they will presumably have created a virtual Visa card and headed down to their local shop.

If you have an Etihad Guest balance, make sure your password is secure and different from any other passwords you use.

Here’s Etihad’s response in full:

Dear XXXXXXXX

Thank you for contacting us. 

Upon reviewing our records, we can see that your account has been compromised. We suggest you create a new email address and we will update it to your profile to proceed with activation of your account.  

It is the guest’s responsibility to ensure that all their login credentials are kept secure.  

We strongly recommend regularly changing your passwords and ensure that the passwords are strong to prevent compromise.  

You can log into your Etihad Guest account regularly and keep track of all your transactions by checking the Activity History section.  

Please refer to the following terms and conditions:  

1.1.8 It is your responsibility to ensure that you take appropriate care of your Etihad Guest Card and your Etihad Guest Number (including login password credentials) to prevent unauthorized persons from accessing your Etihad Guest membership account.   

1.1.9 Etihad Guest assumes no responsibility for and is not liable for any unauthorized access by third parties to a member’s account and/or account information, including but not limited to any unauthorized award transaction made from the account, except as provided under applicable laws.

Etihad assumes no obligation to re-credit any unauthorized mileage withdrawal made by third parties. Etihad Guest reserves the right to review, in its sole discretion, requests for re-crediting unauthorized mileage withdrawals provided such request is made to Etihad Guest within three months of the unauthorized withdrawal.   

1.1.11 You should not disclose your password and login credentials to another person. Please make sure that your password is not written down and kept with your Etihad Guest Card. Etihad Guest is not responsible for stolen security credentials or passwords and will not re-credit miles for unauthorized redemptions using the guest’s security credentials or password.  

For more information about the terms and conditions, please click here.  

Recommendations:  

Change the password for your personal registered email address

Check if there have been any changes made to the recovery settings of your email address (such as a change of email or registered mobile number)

Due to the email address being compromised, you should change the passwords on all your online accounts

Change your Etihad Guest password

Kind Regards,  

Etihad Guest Team

Category

Etihad and Etihad Guest

Comments (83)

  • Col says:
    20 May20 May 06:49

    I had a similar issue recently and it’s caused a lot of damage to me and I’ve lost my Social Media accounts which is damaging for my business, but also lost my Hilton account. (They tried and failed to get my BA and VS ones)

    My experience with Hilton started as a little luke warm. The Hackers had changed my email and phone number on my profile and wiped out my half a million balance.

    I rang them and they took the details and said someone would get in touch, I had little hope. This was at about 3pm UK time.

    By 7pm, their fraud team had created me a new account, restored my points balance, including all my nights stays and emailed me explaining what they had done! I am genuinely in awe and flabbergasted at just how quick and responsive they were, the complete opposite to what has happened here with Etihad!

    Reply
    • Skywalker says:
      20 May20 May 08:09

      Just curious as to how you lost your social media accounts as well – did you have the same password for each or were they all set with weak passwords – or were these hackers just particularly good?

      Reply
      • Retron says:
        20 May20 May 08:51

        Probably just “hacked” the email account – that’s the most important account of all, as once you get into that you can see all the other sites they’ve signed up to. It really should have a unique password, not stored or written down anywhere… and preferably 2FA as well.

        Reply
    • L Allen says:
      20 May20 May 09:41

      I had my Hilton account hacked too and, it took a while (definitely not as quick as your experience) to get the points back. They didn’t create a new account for me but I chose to create a new account. I then had to manually transfer the recovered points to the new account and close down the old one. This was a good couple of years ago so maybe they’ve improved their processes.

      Reply
  • Dave says:
    20 May20 May 06:59

    Not sure about the wording at the very top, if BA act in such a way then “luckily” doesn’t seem right, that would imply something totally out of course happened almost by chance. Could I suggest the word “thankfully” be more appropriate

    Reply
    • aseftel says:
      20 May20 May 07:32

      Rhys did have to get the press office involved to make any progress, so I suppose one could say that it was incidental and highly fortunate that he had those contacts.

      Reply
  • Rj-24 says:
    20 May20 May 07:00

    So an unethical move by a mythical airline that had the same policy would be to “employ” a hacker and “leak” the passwords for the top points-holding accounts and liberate the points. Would save the airline a fortune.

    Reply
  • Can says:
    20 May20 May 07:09

    What a shame

    Reply
  • Gerry says:
    20 May20 May 07:13

    So if Etihad knew where the hacked miles had gone, they are condoning criminality.
    The least they should do is offer to inform the Police.
    These are LOYALTY programmes; it’s supposed to work both ways.
    Okay; we all avoid Etihad now. Very poor indeed.

    Reply
    • Bagoly says:
      20 May20 May 08:50

      Their response doesn’t say that they haven’t been proactive on that front.

      Reply
      • NorthernLass says:
        20 May20 May 09:21

        Plus it depends very much on where the hacking took place. The offenders might be in (e.g.) China or Russia with zero possibility of being brought to justice!

        Reply
    • BBbetter says:
      20 May20 May 13:08

      They dont have proof it was hacked. What if someone raised a false claim? And why should they compensate for poor password management of the user?

      Reply
  • Euan says:
    20 May20 May 07:32

    What a Patronising email.

    Reply
  • Nick says:
    20 May20 May 07:37

    I guess the situation is very dependent here… There are multiple types of ‘hacks’ and judging by the email, it seems this example was credential stuffing. It’s technically not a hack, as no systems were compromised, but the account likely shared a username and password with another service that was part of a data breach.

    This is why it’s vitally important to use unique passwords and, where possible, unique email addresses/username combinations. It renders any leaked credentials from one service unusable on another.

    Notably – most banks take a similar stance if cash is withdrawn using your PIN code. There’s an addition level of burden to prove it was stolen from your account in these scenarios.

    Reply
    • Bagoly says:
      20 May20 May 08:49

      Exactly.
      “Etihad Guest will consider giving back stolen miles UNLESS the account was accessed using your password (which will always be the case, surely?) ”
      They presumably mean that if there is an actual hack inside their systems rather than from the front end then they will refund.

      Reply
  • Jonathan says:
    20 May20 May 07:45

    We can all hope that the head of Etihad Guest program or the airline’s CEO will take some time to read over this article and the comments in a couple of days time (so by which point all comments will’ve fully died down), then they can take a good look at themselves and see how a consumer looks at them, they don’t want their loyal customers going elsewhere for their flights, but that’s what they’re half encouraging people to do, made even more worse by the (fairly) recent change to the expiry policy of their points…

    Reply

Leave a Reply to m Cancel reply

Your email address will not be published. Required fields are marked *

Please click here to read our data protection policy before submitting your comment

New to Head for Points?

Welcome!  We’re the UK’s most-read source of business travel, Avios, frequent flyer and hotel loyalty news. Let us improve how you travel. Got any questions? Ask them in our forums.

Get 25,000 Avios with the Barclaycard Avios Plus Mastercard

GET A SIGN-UP BONUS OF 18,000 VIRGIN POINTS!

Latest Forum Posts

Get 80,000 bonus points (worth 80,000 Avios) and £400 of dining credit with The Platinum Card (Offer ends 27th May)

Check reward flight availability instantly for free!

See a whole year of reward seat availability on one page at SeatSpy.com

Get up to 10,000 bonus Hilton Honors points

Booking a luxury hotel?

Our luxury hotel booking service offers you GUARANTEED extra benefits over booking direct. Works with Four Seasons, Mandarin Oriental, The Ritz Carlton, St Regis and more. We've booked £1.7 million of rooms to date. Click for details.

SME? GET THE ONLY FREE SMALL BUSINESS CREDIT CARD WHICH CAN EARN AVIOS

Get points worth 30,000 Avios with 'first year free' American Express Gold (ends 27th May)

The UK's biggest frequent flyer website uses cookies, which you can block via your browser settings. Continuing implies your consent to this policy. Our privacy policy is here.

Got it!