Jill Frankfort spent years saving her frequent flyer miles and intended to spend them on a special vacation. But on the day that she was set to cash them in, she was hit with a terrible surprise. A thief had hacked her American Airlines account and stolen her miles — 152,500 to be exact.
Now she wants to hold American Airlines responsible for the hack. And she wants her stolen miles back. But is that going to happen?
If like Frankfort, you are hoarding tons of frequent flyer miles, you might want to take heed. She assumed that her miles were secure inside her American Airlines account, and so she rarely checked on them. That was a mistake. Her stolen miles were long gone by the time she noticed they were missing. And the thief? Long gone.
Where did her stolen miles go?
Frankfort discovered that someone had hacked her American Airlines account last June. That’s when she and her husband had decided to finally use all their accumulated miles to take an international trip.
Unfortunately, she soon found out some strangers had already taken one, using stolen miles from her account.
“I logged into my American Airlines account,” Frankfort remembers. “Suddenly, I discovered transactions for tickets that I did not authorize.”
All of Frankfort’s American Airlines miles were gone. She studied the information. One transaction had resulted in most of the lost miles. A couple, their names listed in her account, had flown from New Delhi, India, to Doha, Qatar, in business class.
Frankfort was stunned. She didn’t recognize the names of the passengers and certainly never granted permission for them to use her miles.
Assuming that this was all just a misunderstanding, Frankfort called American Airlines to report the error. And that’s when she discovered that this was not a simple clerical error. The representative explained that it appeared that someone had hacked her American Airlines account and fraudulently redeemed her miles.
Then Frankfort asked that the representative restore her stolen miles. She couldn’t believe her ears when the agent rejected her request. American Airlines would not return the stolen miles.
After this hack, why won’t American Airlines replace her stolen miles?
As a regular reader of our site, Frankfort knew that it was time to get off the phone. Following the problem-solving advice in our publisher Christopher Elliott’s article on the topic, she wrote a short, polite email detailing the situation. Her request ended with a reasonable resolution: the return of her miles.
American Airlines responded swiftly. It would not be replacing her stolen miles. The timing of Frankfort’s request was the problem.
Unfortunately, Frankfort had not checked her balance for well over one year. Knowing that American Airlines miles expire after 18 months, Frankfort had signed in right up against that expiration deadline. But by that time, her miles were gone — stolen and likely resold to a buyer on the Dark Web.
American Airlines told me that my stolen miles could not be restored since this took place over six months ago and an investigation could not be pursued by AA corporate security. I was advised that the only recourse would be to file a police report.
Frustrated by her lack of progress in retrieving her stolen miles, Frankfort began searching for other recourse. And that’s when she sent a request for help to the Elliott Advocacy team.
When did this hacker first gain access to her American Airlines miles?
When I read through Frankfort’s request for help, I wondered why American Airlines wasn’t receptive to restoring her miles. Seemingly through no fault of her own, a hacker had gained access to her account. Frankfort had relied on the security measures that she assumed the airline has in place to protect its customers.
So what went wrong?
To find out, I reached out to our executive contact at American Airlines. As it turns out, the airline had done a complete investigation into Frankfort’s complaint.
In October 2016, 20 months before Frankfort checked in on her miles, someone had changed the email associated with her AAdvantage account.
Our American Airlines contact explains:
She received a trigger notification to that email advising of the change and to contact American if it was not authorized. We did not receive any bounce back message, so it was delivered to her account. Awards did not start leaving the account for more than six months after the change to the email address.
You must report stolen miles promptly — not 13 months later
The couple who flew from New Delhi to Doha used the miles and completed travel in May 2017. Frankfort didn’t discover or report this fraudulent transaction until 13 months later. American Airlines would have returned any stolen miles if Frankfort had reported the problem at the time.
Frankfort never read American Airlines’ October 2016 trigger notification until recently. After American Airlines told her of its existence, she says she found the alert in her spam mailbox.
It would seem that the hacker of Frankfort’s American Airlines account waited patiently after the address change. Six months later, the thief began spending down the balance.
Our executive contact went on to say that against the airlines’ advice, Frankfort has re-added the possibly compromised email address to her AAdvantage account.
The email address she used then, and continues to use again today, was listed on three breach sites. So most likely an email address/password combination is the same for multiple sites.
As a gesture of goodwill, American Airlines agreed to return 25,000 of Frankfort’s stolen miles. The airline continues to recommend that she not use the compromised email address.
How can you avoid losing all your miles to a hacker?
- Don’t use the same email address and password combination across multiple sites
The reason? Let’s say a hacker hits a company, but you didn’t store any personal information there. So it doesn’t occur to you that this hack could affect you. But maybe you placed an order on that company’s site or signed into a message board and used a favorite email/password combination. This information is vital to a hacker. Hackers have determined that many people have favorite email/password combos. And so when hackers steal information from one site, they quickly tested these combos on multiple sites across the web. Using a unique password for each site you visit can lessen the chance of a hacker being able to get inside your accounts.
- Check your frequent flyer accounts frequently
Frankfort could have avoided losing her miles if she had been more vigilant with her frequent flyer account. It’s never a good idea to allow these loyalty program accounts to become dormant. We don’t often receive complaints about hacked frequent flyer accounts. However, our team does receive many requests for help from consumers who have lost all their miles to an expiration date. The reason? Most of these consumers say that they weren’t aware of the expiration policy of the program. And they never bothered to check. Keeping your eye on your frequent flyer miles is essential. Sign in to your account at least once per quarter. And make sure you are familiar with the rules of your loyalty program, which can change frequently. Remember there are no laws or regulations that govern loyalty programs. So it’s up to you to know and abide by your airline’s “laws.” Its terms and conditions are the final arbiters of any frequent flyer program complaints.
- Change your password
Finally, changing your password from time to time is another way to stay one step ahead of hackers. If you’ve had the same password on any account for a lengthy period, it might be time to consider a change for the new year.