A New York Times article about hackers targeting loyalty programs made its way through the Cheetah Digital office recently. The story was certainly relevant to our work here, but also to the greater conversation about privacy.
Although the article was interesting on several levels, it left us with more questions about loyalty fraud than answers. Thankfully, we have a number of experts who can fill in those gaps, including Patrick Benoit, Cheetah Digital’s Deputy Chief Information Security Officer (CISO).
Patrick has worked in the security industry for more than 25 years, so he has a lot to say about how customers currently treat the security of their loyalty programs — and whether Cheetah Digital’s clients should be worried about hackers.
CH: Consumers know the importance of account security when it comes to their credit cards. Should loyalty programs be viewed the same way?
PB: The short answer is yes. The longer answer is that it's a misconception to believe we should treat any data differently than how that data is being classified. Very basic personal data — like our name, address, and phone number — needs to be treated carefully because of privacy, but there's a minimum level of security applied to this information.
Then there’s the next level, like our Social Security number and credit card numbers. And, to me, that includes loyalty memberships.
CH: It seems many consumers don’t think in those terms. How can loyalty technology providers like Cheetah Digital change that?
PB: We have to educate the general population. Every time loyalty is mentioned, we should teach consumers to treat their rewards and data as if they’re something valuable — because they are.
Think about an airline points program. If someone loses 100,000 points, they might not think it’s a big deal. But if we explain to them that 100,000 points is the equivalent of 2½ round-trip flights in the U.S. — and the average round-trip ticket is $400 — then the value of those 100,000 points is actually $1,000. Are you willing to give away $1,000? I’m sure not. So we as loyalty providers should be advising our clients to educate their customers that their loyalty rewards are real money and need to be treated accordingly.
CH: When stories about loyalty hacking hit the news, what is your response to clients who ask about the safeguards Cheetah Digital has in place and how these issues can be avoided?
PB: When it comes to cloud security, cloud monitoring, and risk management, Cheetah Digital offers top-notch protection. But, much like security in general, it's very difficult to find a breach that wasn't caused by either, A) somebody doing something they weren't supposed to do, or B) somebody not doing something they were supposed to do. So, yes, we can patch, fix vulnerabilities, scan, and monitor. But very little of that actually fixes the problem, because ultimately it’s a people issue.
I advise clients to create an educational program that utilizes campaigns or loyalty services to tell customers how valuable these rewards are and that they should be treated like money. As we make that connection for the consumer, rewards are going to become meaningful and there will be a greater effort by people to protect them.
As data and fraud become an even bigger part of the loyalty equation, it’s going to be fascinating to see how security continues to evolve. I agree with Patrick: it comes down to education. If loyalty providers like Cheetah Digital educate their clients and those clients educate their consumers, then loyalty program data should become more secure.
At Cheetah Digital, security is an essential part of our relationship with clients. If you want to work with a loyalty provider who values privacy and the protection of data, contact us to learn more.