Maximise your Avios, air miles and hotel points

Should an airline reimburse your miles if you are hacked? Etihad Guest says no

Links on Head for Points may support the site by paying a commission.  See here for all partner links.

A few weeks ago Rhys wrote an article on what happened when his British Airways Club account was hacked. Luckily, although not unexpectedly, British Airways reimbursed his stolen Avios.

It is getting more and more common for frequent flyer accounts to be the target of hacks.

This never used to be the case, so what has changed?

Etihad account hacked

The answer should be obvious.

When the only redemption you can book is a flight, hacking a frequent flyer account is a waste of time.

The very best that a hacker can do is book themselves a flight. Unless they plan to travel immediately, the chance of getting away with the hack is very low. Even if they intend to fly a few hours later, there is still a real risk that the account holder notices.

Even if they hack isn’t noticed until after the flight, the airline will still have the passport details of the passenger and the payment card used to settle the taxes. It’s rarely worth the risk.

However ….

Over time, airline and hotel loyalty schemes started to add other redemption options. These were often pseudo-cash (such as Amazon e-vouchers) which suddenly made your mileage account a FAR more attractive hacking target.

Etihad Guest went even further. Via the Etihad Guest Reward Card, you can immediately turn your miles into cash, available to spend via a virtual Visa card added to your smartphone.

This makes Etihad Guest accounts particularly attractive to hackers.

If an airline makes itself a hacking target, shouldn’t they take responsibility?

A reader had his Etihad Guest account hacked recently. He got in touch with Etihad and received the email below in response.

What it says is:

  • yes, we agree you were hacked
  • tough luck, we’re not giving you your miles back

The small print (reproduced below) is interesting. Etihad Guest will consider giving back stolen miles UNLESS the account was accessed using your password (which will always be the case, surely?) If your password was used, you do not get your miles back back.

What is especially impressive about this response is that Etihad Guest knows where the stolen miles are.

Etihad Guest account hacked

Etihad Guest allows miles to be transferred to another account for a ‘fee’ of 10% of the balance. This is what happened here.

The hacker moved the balance (well, 90% of it less the 10% fee) to another account, presumably in a false name. From there they will presumably have created a virtual Visa card and headed down to their local shop.

If you have an Etihad Guest balance, make sure your password is secure and different from any other passwords you use.

Here’s Etihad’s response in full:

Dear XXXXXXXX

Thank you for contacting us. 

Upon reviewing our records, we can see that your account has been compromised. We suggest you create a new email address and we will update it to your profile to proceed with activation of your account.  

It is the guest’s responsibility to ensure that all their login credentials are kept secure.  

We strongly recommend regularly changing your passwords and ensure that the passwords are strong to prevent compromise.  

You can log into your Etihad Guest account regularly and keep track of all your transactions by checking the Activity History section.  

Please refer to the following terms and conditions:  

1.1.8 It is your responsibility to ensure that you take appropriate care of your Etihad Guest Card and your Etihad Guest Number (including login password credentials) to prevent unauthorized persons from accessing your Etihad Guest membership account.   

1.1.9 Etihad Guest assumes no responsibility for and is not liable for any unauthorized access by third parties to a member’s account and/or account information, including but not limited to any unauthorized award transaction made from the account, except as provided under applicable laws.

Etihad assumes no obligation to re-credit any unauthorized mileage withdrawal made by third parties. Etihad Guest reserves the right to review, in its sole discretion, requests for re-crediting unauthorized mileage withdrawals provided such request is made to Etihad Guest within three months of the unauthorized withdrawal.   

1.1.11 You should not disclose your password and login credentials to another person. Please make sure that your password is not written down and kept with your Etihad Guest Card. Etihad Guest is not responsible for stolen security credentials or passwords and will not re-credit miles for unauthorized redemptions using the guest’s security credentials or password.  

For more information about the terms and conditions, please click here.  

Recommendations:  

Change the password for your personal registered email address

Check if there have been any changes made to the recovery settings of your email address (such as a change of email or registered mobile number)

Due to the email address being compromised, you should change the passwords on all your online accounts

Change your Etihad Guest password

Kind Regards,  

Etihad Guest Team

Category

Etihad and Etihad Guest

Comments (76)

  • Robert says:
    20 May20 May 12:36

    “Etihad Guest will consider giving back stolen miles UNLESS the account was accessed using your password (which will always be the case, surely?)”

    Surely not. Ever heard of actually hacking the backend system, accessing the account through a 3rd party integration, API, stealing a session and many others? Someone using your password (which you somehow disclosed or made easy to guess) is hardly a hacker anyway. To me, this is a clear split of responsibility and liability. If my system is hacked (because I didn’t secure it well enough), I take the responsibility. If your password is used (because you didn’t secure it well enough), you take the responsibility. Simple and fair.

    Reply
    • The Savage Squirrel says:
      20 May20 May 13:17

      Not so fair if MY password security is hacked then your FF accounts are emptied by conventional password usage. Or brute force attacks are not protected against, or etc etc etc….

      Reply
      • Robert says:
        20 May20 May 13:27

        Why YOUR password security should be my problem/responsibility?… You could compare it to a flat. If I, as a landlord, give you the keys to your rented flat, and you give the keys to someone else, who then uses the key to empty the room from all of its contents, then why I should be responsible for that? If I had insecure windows and someone used that window to get in without the key, then yeah, that’s my responsibility.

        Reply
        • The Savage Squirrel says:
          20 May20 May 13:32

          You seem to have missed my point completely. Try rereading what I wrote – I have used the same MY and YOUR as you did in your post so am surprised it has confused you.
          If MY (i.e. Etihad’s) password security is compromised then YOUR (the individual user) password could be accessed using the password with no user culpability.

          The examples I gave above are more like: what if a key was indeed used to access the flat, but it was a copy made off the landlord’s original due to their poor security at the letting office.

          Reply
    • David says:
      20 May20 May 18:14

      Easy back door for Etihad. “Your password was hacked unfortunately”. How can you tell them otherwise.

      Reply
      • Nancy says:
        20 May20 May 20:21

        Sure, equally they can cancel your booking because the demand higher and they want to sell the seats for higher price. “You cancelled your booking online unfortunately”. How can you tell them otherwise.

        Reply
    • r* says:
      20 May20 May 18:30

      What absolute crap. People can secure their passwords but still have them stolen due to exploits in software etc. Part of the responsibility is with the other party to ensure that their system isnt easy to access then a user is compromised, do etihad require 2fa etc?

      Reply
      • Nancy says:
        20 May20 May 20:18

        Why should companies be responsible for users using crappy/exploited software to store the password?… Ultimately it’s always the user which is the weakest link, even if they require 2FA, the user can be social engineered to give their OTP (which unfortunately happens all the time in more lucrative industries than frequent flyer programmes).

        Reply
  • The Savage Squirrel says:
    20 May20 May 13:36

    If they do want to continue with the Etihad Guest Reward Card then one very simple solution with no downside that I can see would be to only allow creation of virtual payment cards from accounts where the user has already paid for and flown an Etihad flight.
    Can’t be many genuine accounts that have never taken a flight but would want to access that functionality, surely?
    Not a total fix but certainly makes this avenue that bit more difficult for bad actors to exploit.

    Reply
  • Jimbob says:
    20 May20 May 13:37

    The customers end up paying for the fraud one way or another.

    In BA’s case then the cost is spread throughout the customer base, whereas Etihad chooses to make the individual bear the cost.

    As someone who uses unique passwords, then perhaps I would prefer the Etihad method.

    Reply
  • Sina says:
    20 May20 May 14:23

    I received an email from Etihad asking me for ID to verify my account even though I had no transactions etc, I sent it and they confirmed in an email that everything is fine and account is re-activated.

    I tried to access it a few weeks later to use my 25k points for a hotel booking but couldn’t login, so emailed the customer service and they said they’ve asked for ID and I haven’t provided!!!

    I sent them a chain of the emails showing the fact that I did send it and they confirmed and they just shrugged it off and said they can’t do anything it’s too late!

    I was robbed by Etihad of £200 worth of points, I will never EVER will book them and will actively do free adverse marketing for them foerever 😊

    Reply
  • Throwawayname says:
    20 May20 May 15:09

    Companies can’t hide behind terms and conditions that are written for the UAE (etc) market while offering their services to UK residents. I wouldn’t hesitate to sue them under the consumer rights act 2015 (s.49 obliges them to provide services with reasonable care and skill), the claim costs are negligible.

    Reply
    • Ed says:
      20 May20 May 17:30

      not providing MFA is very clearly not providing services with reasonable care/skill in 2025

      Reply

Leave a Reply to Robert Cancel reply

Your email address will not be published. Required fields are marked *

Please click here to read our data protection policy before submitting your comment

New to Head for Points?

Welcome!  We’re the UK’s most-read source of business travel, Avios, frequent flyer and hotel loyalty news. Let us improve how you travel. Got any questions? Ask them in our forums.

Get 25,000 Avios with the Barclaycard Avios Plus Mastercard

GET A SIGN-UP BONUS OF 18,000 VIRGIN POINTS!

Latest Forum Posts

Get 80,000 bonus points (worth 80,000 Avios) and £400 of dining credit with The Platinum Card (Offer ends 27th May)

Check reward flight availability instantly for free!

See a whole year of reward seat availability on one page at SeatSpy.com

Get up to 10,000 bonus Hilton Honors points

Booking a luxury hotel?

Our luxury hotel booking service offers you GUARANTEED extra benefits over booking direct. Works with Four Seasons, Mandarin Oriental, The Ritz Carlton, St Regis and more. We've booked £1.7 million of rooms to date. Click for details.

SME? GET THE ONLY FREE SMALL BUSINESS CREDIT CARD WHICH CAN EARN AVIOS

Get points worth 30,000 Avios with 'first year free' American Express Gold (ends 27th May)

The UK's biggest frequent flyer website uses cookies, which you can block via your browser settings. Continuing implies your consent to this policy. Our privacy policy is here.

Got it!