Maximise your Avios, air miles and hotel points

Should an airline reimburse your miles if you are hacked? Etihad Guest says no

Links on Head for Points may support the site by paying a commission.  See here for all partner links.

A few weeks ago Rhys wrote an article on what happened when his British Airways Club account was hacked. Luckily, although not unexpectedly, British Airways reimbursed his stolen Avios.

It is getting more and more common for frequent flyer accounts to be the target of hacks.

This never used to be the case, so what has changed?

Etihad account hacked

The answer should be obvious.

When the only redemption you can book is a flight, hacking a frequent flyer account is a waste of time.

The very best that a hacker can do is book themselves a flight. Unless they plan to travel immediately, the chance of getting away with the hack is very low. Even if they intend to fly a few hours later, there is still a real risk that the account holder notices.

Even if they hack isn’t noticed until after the flight, the airline will still have the passport details of the passenger and the payment card used to settle the taxes. It’s rarely worth the risk.

However ….

Over time, airline and hotel loyalty schemes started to add other redemption options. These were often pseudo-cash (such as Amazon e-vouchers) which suddenly made your mileage account a FAR more attractive hacking target.

Etihad Guest went even further. Via the Etihad Guest Reward Card, you can immediately turn your miles into cash, available to spend via a virtual Visa card added to your smartphone.

This makes Etihad Guest accounts particularly attractive to hackers.

If an airline makes itself a hacking target, shouldn’t they take responsibility?

A reader had his Etihad Guest account hacked recently. He got in touch with Etihad and received the email below in response.

What it says is:

  • yes, we agree you were hacked
  • tough luck, we’re not giving you your miles back

The small print (reproduced below) is interesting. Etihad Guest will consider giving back stolen miles UNLESS the account was accessed using your password (which will always be the case, surely?) If your password was used, you do not get your miles back back.

What is especially impressive about this response is that Etihad Guest knows where the stolen miles are.

Etihad Guest account hacked

Etihad Guest allows miles to be transferred to another account for a ‘fee’ of 10% of the balance. This is what happened here.

The hacker moved the balance (well, 90% of it less the 10% fee) to another account, presumably in a false name. From there they will presumably have created a virtual Visa card and headed down to their local shop.

If you have an Etihad Guest balance, make sure your password is secure and different from any other passwords you use.

Here’s Etihad’s response in full:

Dear XXXXXXXX

Thank you for contacting us. 

Upon reviewing our records, we can see that your account has been compromised. We suggest you create a new email address and we will update it to your profile to proceed with activation of your account.  

It is the guest’s responsibility to ensure that all their login credentials are kept secure.  

We strongly recommend regularly changing your passwords and ensure that the passwords are strong to prevent compromise.  

You can log into your Etihad Guest account regularly and keep track of all your transactions by checking the Activity History section.  

Please refer to the following terms and conditions:  

1.1.8 It is your responsibility to ensure that you take appropriate care of your Etihad Guest Card and your Etihad Guest Number (including login password credentials) to prevent unauthorized persons from accessing your Etihad Guest membership account.   

1.1.9 Etihad Guest assumes no responsibility for and is not liable for any unauthorized access by third parties to a member’s account and/or account information, including but not limited to any unauthorized award transaction made from the account, except as provided under applicable laws.

Etihad assumes no obligation to re-credit any unauthorized mileage withdrawal made by third parties. Etihad Guest reserves the right to review, in its sole discretion, requests for re-crediting unauthorized mileage withdrawals provided such request is made to Etihad Guest within three months of the unauthorized withdrawal.   

1.1.11 You should not disclose your password and login credentials to another person. Please make sure that your password is not written down and kept with your Etihad Guest Card. Etihad Guest is not responsible for stolen security credentials or passwords and will not re-credit miles for unauthorized redemptions using the guest’s security credentials or password.  

For more information about the terms and conditions, please click here.  

Recommendations:  

Change the password for your personal registered email address

Check if there have been any changes made to the recovery settings of your email address (such as a change of email or registered mobile number)

Due to the email address being compromised, you should change the passwords on all your online accounts

Change your Etihad Guest password

Kind Regards,  

Etihad Guest Team

Category

Etihad and Etihad Guest

Comments (85)

  • yonasl says:
    20 May20 May 07:53

    Many people sometimes comments they would not fly to certain countries or use certain airlines due to politics. Everyone can have an opinion for or against doing that. But what we forget sometimes is that while airlines may not represent the politics of the countries they are based in, they are closely related to the ethics and business practices of the country/region. Iberia for instance is insane if you try to pursue your EU261 rights as they know you will never make it through the Spanish legal system. Equally, Ethiad seems to behave here like many ME companies where customer rights only exist if you are rich and powerful.

    Reply
  • ColinThames says:
    20 May20 May 08:03

    By their inaction Etihad has just announced “hackers welcome here” if they don’t pursue those illegally stealing points. Anyone with a large balance would be well advised to convert their points into cash now.
    I presume Etihad don’t comply with GDPR guidelines either. BA have to.

    Reply
    • OverPlanner says:
      20 May20 May 09:40

      GDPR applies to all organisations holding personal data on EU/UK citizens (irrespective of their nationality). Etihad will therefore need to comply. If they are found to be non-compliant, not sure I’d want my compensation to be in Etihad miles based on this article/comments though.

      Reply
    • Nancy says:
      20 May20 May 13:16

      That’s not what they announced at all. It’s been in the terms forever – if it’s Etihad’s fault the account got hacked, then they’ll reinstate the balance. If it’s the user’s fault that they reused the password or didn’t keep it safe, then Etihad does not take responsibility for that (and rightly so). Instead of converting to cash, isn’t it just easier to keep your password secure and safe?

      Reply
    • Bert says:
      21 May21 May 08:51

      Problem is if they reimburse you when the hacker has already cashed out, then Etihad take a loss for something that was not their fault.
      If Etihad got hacked then absolutely they should be on the hook and compensate customers, but in this case it looks like the breach isn’t happening on Etihad’s side, rather customer credentials are being compromised from somewhere else and simply being used to login to Etihad’s system.

      Reply
  • Esther says:
    20 May20 May 08:40

    I understand the reaction to Etihad:s decision. However instead of everyone going on about changing passwords etc. maybe we should be hearing, you must actually carefully read the terms and conditions you are signing up for when you open a frequent flyer or any other loyalty account. My guess is that upwards of 99% of those with loyalty accounts never do this before signing up. What Etihad has done here is set themselves up for a PR firestorm. However Etihad is a highly regarded and highly successful airline with a Middle Eastern way of thinking. That means they really will not be bothered. We told the customer in the clearest possible language what might happen, so why is he now complaining?

    Reply
  • VinZ says:
    20 May20 May 08:40

    Suddenly BA doesn’t look so bad…

    Reply
  • Ian says:
    20 May20 May 09:23

    Would be nice to see what the etihad press office says upon contact.

    Reply
    • Jonathan says:
      20 May20 May 09:57

      They’d probably just repeat pretty much what’s been summarised in this article…

      Don’t forget that the first person / dept that replies usually has very little to no power and simply follows company policy

      Reply
    • Rob says:
      20 May20 May 09:58

      The airline has applied the rules you signed up to when you joined the programmme. You can’t really complain.

      Reply
      • AG says:
        20 May20 May 10:24

        How about my case Rob? Do I have grounds for complaint? Here’s the sequence of event:

        28 Oct: account locked, passport submitted.
        29 & 30 Oct: chasers (calls and emails)
        1 November: Miles expired.
        2 November: Account unlocked, 0miles.

        Reply
        • David says:
          20 May20 May 18:21

          Sounds like a life lesson unfortunately. Do it 7 days prior and you wouldn’t be in that mess even though it is extremely harsh on your part.

          Reply
      • D says:
        20 May20 May 11:33

        Fair point, just wiped and cancelled my account as a result.

        Reply
      • Andy Davies says:
        20 May20 May 20:24

        Doesn’t make the rules legal under the unfair contract terms legislation

        If my miles went missing as in the case outlined in the post I’d MCOL Etihad for the value of the miles

        Reply
  • john says:
    20 May20 May 09:44

    Can we insure against this loss?

    You can get insurance for lots of things. If someone breaks into my house and steals my stuff, I have home insurance for this. When buying a house, solicitors take out indemnity insurance for banal things like chancel liability..

    There must be the ability to take our insurance therefore against our frequent flyer accounts being hacked / closed etc? Maybe HFP could look into this – there certainly sounds like there is a market for it..

    Reply
    • NorthernLass says:
      20 May20 May 11:17

      Some travel policies cover actual bookings made with loyalty points, however the actual ownership of them is a bit of a legal grey area. Usually the Ts and Cs will say they have no monetary value, and also that they remain the property of the issuer, so it might be difficult to get an insurer to recognise that they have any insurable value to you, the account holder.
      Also, someone else will probably point out that if you start attributing monetary value to loyalty points, you potentially become liable to pay tax on them!

      Reply
      • Will says:
        20 May20 May 19:59

        The have no value tax argument is ludicrous.
        They can be substituted in certain cases for cash with respect to flight bookings.

        Regardless of any explicit value a company wishes to attribute to them they do have implicit value at redemption time.

        Regulation could easily retain a tax free status and give the consumer greater protection at the same time if it wanted to do so.

        Turkeys voting for Christmas time now, I’m not sure why we should be considering them as tax exempt outside of our own personal gain.

        Reply
  • lesscleverandrew says:
    20 May20 May 10:17

    There are some “factual” inaccuracies in this article.

    “If an airline makes itself a hacking target, shouldn’t they take responsibility?”

    > Every company with a public internet presence is a target for hackers. They are not “making” themselves a target.

    “UNLESS the account was accessed using your password (which will always be the case, surely?)”

    > It is not necessary to use the password to access someone’s account. The details are a little technical, but it is for example possible to piggyback on someone’s login session. Or to go after the way the password is reset.
    > Crucially these could all be Eithad’s responsibility due to bugs in their website but you would never know as the victim.

    Reply
    • Andrew says:
      20 May20 May 10:44

      Good points, well made.

      Reply
    • Rob says:
      20 May20 May 11:09

      Not true.

      There is no logical reason to hack into a frequent flyer account unless there is an insecure way of turning those miles into cash.

      A decade ago a lot of programmes let you redeem for Amazon evouchers. Most of those that did have now stopped, because it leads to a sharp increase in hacking attempts.

      Members didn’t ask Etihad to set up insecure ‘turn your miles into cash’ options. Most are looking to redeem for flights. Members also didn’t ask Etihad not to enforce 2FA.

      It’s worth noting that Amazon makes a concious business decision to leave itself open to fraud via some of the payment and delivery practices it uses. This is a deliberate decision to make life easier for honest customers but they accept (and fund) the fraud costs from doing so. Etihad should act the same way.

      Reply
      • lesscleverandrew says:
        20 May20 May 11:41

        Rob, I am in the cybersecurity industry. I help some airlines in their software programs to make themselves more secure and when we put our bad buy hats on we don’t say “ooh, this isn’t logical – I won’t go down that path, unless there is no credible threat”.

        Everyone with a public internet presence is a target for hackers.

        I was also responding to the comment about access to an account only via password. It is not necessarily true that you need use someone’s password to access a victim’s account or perform unauthorised actions on someone’s account. This is a verifiable fact.

        Yes, they should support 2FA which puts their customers at greater risk and yes they may make themselves a more juicy target, but that’s another question. Converting to “cash” could be done more safely – I don’t want to get into the how, etc, etc, etc.

        But specifically – on the how else would they get into someone’s account – there are ways and means (that usually require some or other weakness).

        Reply
      • Can says:
        20 May20 May 12:17

        That makes little sense Rob.
        Even teens with some interest in cyber-world may try and even success. The literature is full of such examples, including airlines.

        Reply
        • Rob says:
          20 May20 May 13:24

          But what would they do with your miles? Nothing, if there was nothing they could do except book a flight.

          Reply
      • Nancy says:
        20 May20 May 12:27

        I’m sorry Rob, but these arguments are nonsense. There are other LOGICAL reasons to hack into someone’s account. It’s not always with the aim to turn miles into cash. It can be identity fraud, stealing personal details, 3rd party access and other reasons. These cases usually don’t make it to the press and create so much noise in this community, but working in infosec, I can assure you they’re more frequent. The fact that it’s now more attractive does not shift the liability on the airline/service provider. The person using a weak password or reusing the password on other (insecure) websites is the one who is making themselves a target, not the airline.

        Reply
  • Oll says:
    20 May20 May 10:36

    I do find interesting that over time, the term “hacking” has gone from an activity which exploits a critical vulnerability in a system or code, to “handing your password to a bad actor unintentionally”.

    Reply
    • NorthernLass says:
      20 May20 May 11:20

      One is hacking, the other is scamming. I imagine there’s a very clear legal definition of the former, whereas the latter covers a wide range of dubious behaviour!

      Reply
    • Daniel says:
      20 May20 May 14:55

      Old(er) people / millennials love calling anything “hacking”. Nobody used top secret spy tools to break the CIA-level encryption matrices and break into the cyber mainframe. They tried monkey123 and they got in. That is 100% on you.

      Reply
      • Peter K says:
        20 May20 May 20:53

        @Daniel. I think you’re confusing millennials with those of an earlier era.

        Reply
        • Daniel says:
          20 May20 May 22:19

          I’m saying it extends from older people all the way up to millenials. Though to be honest a lot of gen-z will say things like this too. It’s just general tech ignorance

          Reply
          • Throwawayname says:
            20 May20 May 22:29

            I find younger people are often less tech savvy than those who are 35-50. Being a ‘digital native’ means that you’re used to things working seamlessly and to being powerless to do much to remedy the occasional malfunction , whereas those who had to tinker with the likes of DOS or even do basic programming (e.g. HTML) in order to get relatively simple things done may well be more accustomed to getting under the proverbial bonnet of IT stuff. Of course, not every youngster was interested in the internet back in ’94, so this won’t apply to everyone in that age range.

Leave a Reply to r* Cancel reply

Your email address will not be published. Required fields are marked *

Please click here to read our data protection policy before submitting your comment

New to Head for Points?

Welcome!  We’re the UK’s most-read source of business travel, Avios, frequent flyer and hotel loyalty news. Let us improve how you travel. Got any questions? Ask them in our forums.

Get 25,000 Avios with the Barclaycard Avios Plus Mastercard

GET A SIGN-UP BONUS OF 18,000 VIRGIN POINTS!

Latest Forum Posts

Get 80,000 bonus points (worth 80,000 Avios) and £400 of dining credit with The Platinum Card (Offer ends 27th May)

Check reward flight availability instantly for free!

See a whole year of reward seat availability on one page at SeatSpy.com

Get up to 10,000 bonus Hilton Honors points

Booking a luxury hotel?

Our luxury hotel booking service offers you GUARANTEED extra benefits over booking direct. Works with Four Seasons, Mandarin Oriental, The Ritz Carlton, St Regis and more. We've booked £1.7 million of rooms to date. Click for details.

SME? GET THE ONLY FREE SMALL BUSINESS CREDIT CARD WHICH CAN EARN AVIOS

Get points worth 30,000 Avios with 'first year free' American Express Gold (ends 27th May)

The UK's biggest frequent flyer website uses cookies, which you can block via your browser settings. Continuing implies your consent to this policy. Our privacy policy is here.

Got it!