Aeroplan, PC Optimum grapple with points theft as thieves drain accounts, book flights

Points thieves are on the prowl.

Loyalty programs Aeroplan and PC Optimum have each recently been hit with multiple cases of points theft. Flights have even been booked usingstolen Aeroplan miles.

"I was blown away," said Christina Rayburn, after discovering that someone had swiped most of the miles from her online Aeroplan account and taken a trip.

"The fact that they were able to do that kind of concerns me."

Cyber thieves are increasingly targeting Canadians' stockpiles of lucrative loyalty points PC Optimum hasdealtwith points theft since the program launched in February.

Some cybersecurity experts say rewards programs need to beef up security to help protect members.

So perhaps it's no surprise that PC Optimum has just launched stronger password requirements, and plans to soon roll out two-step authentication whenmembers try toaccess their account.

Toronto-based cybersecurity expertRitesh Kotak applauds the move.

"Start treating these points cards with the same security that we use for online banking," he said. "Until we do that, we're going to keep seeing these issues popping up."

Flying off with stolen miles

Aeroplan memberRayburn, who lives in Hamilton, noticed something was amiss on July 13.

More than 100,000 points had been hijacked from her account, and a new name, email and contact number had been added all of which she didn't recognize.

"I was a little freaked out."

She called Aeroplan and discovered her stolen points had been used to book a round-trip flight. The travel rewards program didn't reveal the route.

Rayburn did learn that the outbound flight had already been taken. Aeroplan was able to cancel the return trip, and refunded her points the following day.

"They apologized profusely," she said. "Obviously, they recognized a pattern."

Back in May, former provincial Newfoundland and Labrador politicianSteve Kent discovered that two separate domestic flights had been booked using close to 100,000 of his Aeroplan miles. The tickets were in names he didn't recognize.

Fortunately, Kent was able to cancel them before takeoff.

"I was obviously surprised that my account had been compromised and concerned that somebody could actually get that far using fraudulent means," he said.

Aeroplan didn't provide any specifics on Rayburn or Kent's cases except to say that it has returned their points.

"A very small percentage" of the program'smembers have been affected by recent points theft, said spokesperson Christa Poole in an email.

Poole did say that Kent's case was likely the result of him using an unsecured network.

"Blaming a loyal customer for their weak security practices is not a good business strategy," Kent said in response.

Aeroplandefended its security practices.

"Protection of member information is our highest priority at Aeroplan and we have security measures in place," said Poole.

The program has also postedtips for how members can protect their accounts, including changing their password frequently and avoiding using unprotectedWi-Finetworks.

PC Optimum gets tough

After a string of points thefts, PC Optimum's owner, Loblaw, advised back in March that "strong, unique passwords protect personal information and points."

The thefts continued. Loblawdeclined to providea current tally of victims.

More than 60 PC Optimum membershave reported they'veexperienced points theft, one of the most recent being Suzanne Soto-Davies in Burlington, Ont.

According to her account records, on July 8, a thief spent 250,000 of her points worth $250 at two Loblaws grocery stores in Quebec.

"You automatically feel violated," said Soto-Davies, who saysshe got her points back after reporting her case.

"They had apparently broken into my password."

PC Optimum requiresall members to adhere to beefed-up password requirements by Aug. 31. Two-step authentication will be added in the coming months.

"We're always looking for ways to help protect our members' accounts,"said spokespersonCatherine Thomas in an email. She said the changes are part of "ongoing security enhancements."

Cybersecurity expert Kotak says it's hard to catch a cyber thief who can hide their identity online, so prevention is key to fighting off fraudsters.

"These are your points. You've gone out, you've spent real money," he said. "Several mechanisms need to be put into place to ensure you don't become a victim."