The True Cost of Loyalty: Why it’s Crucial for Retailers to Protect Loyalty Data

Loyalty is big business. In the U.S., research has shown that there are over 3.3 billion loyalty memberships. Programs span across almost all markets, from supermarkets and restaurants to beauty and hospitality. For organizations, a loyalty program that resonates with consumers can set them apart from competitors. Last year, for example, Starbucks told investors that its rewards members drove a staggering 53 percent of Q3 2022 U.S. revenue.

However, with customers willing to hand over their data for discounts and rewards, especially as we find ourselves in a time of economic turmoil, retailers end up with more and more sensitive data that they need to protect. But how can organizations protect loyalty data effectively? And where should they start?

Loyalty and Trust: The Unexpected Cost of Data Breaches

Like consumers, cybercriminals also find loyalty programs particularly enticing, not least because it’s a booming market. In 2022, the global loyalty management market was estimated to be worth $5.92 billion. It’s not hard to see why cybercriminals are desperate to get in on the act. Loyalty program data breaches are on the rise, too. Notably, in January 2023, more than half a million Hilton Hotels customers had their data stolen and put up for sale on the dark web. With big-name brands being hit by devastating data breaches, where does this leave loyalty?

Cybersecurity is becoming an increasingly important discussion among C-suite executives; however, organizations may not have considered loyalty programs within their cyber risk planning exercises. While lucrative, the data that’s collected may not attract the same security attention as checkout payment systems or mainframe networks. It’s also often continually underestimated in terms of its value to cybercriminals. Similarly, a company might outsource the management of its loyalty card program to a partner as part of an extended supply chain, which increases the potential attack surface. Some of these outsourced companies may have lower levels of baseline security, leading to cloud misconfigurations which can leak data. Whenever depending on outside partners, it’s important for organizations to do their due diligence.

When a company’s loyalty card program suffers a breach (whether in-house or via a supply chain), the consequences can be devastating. Hand in hand with loyalty comes trust. When consumers hand over their data to organizations, they believe that their data is in safe hands. In the event of a breach, not only is this trust lost, but organizations will also find themselves shelling out the cost of reimbursing customers in stolen points, facing class-action lawsuits, or battling hefty regulatory fines. Similarly, there’s cost involved in breach investigations, remediation and notification, and reputational damage can be hard to come back from.

But what about the data itself?

Why Cybercriminals Covet Loyalty Card Data

An uptick in revenue and customer numbers naturally draws interest from opportunistic cybercriminals. Points themselves, often redeemable for pricey commodities, along with personal data, have become valuable objects on underground sites. But why do cybercriminals want such information and how do they use it?

Although it may seem strange, the illegal use of loyalty points is on the rise. While points are virtually worthless (given they hold no real-world cash value outside of the program), they can be exchanged for valuable goods and services. Threat actors can use stolen points to purchase hotel rooms and flights, for example, which can then be resold for profit.

On the other hand, personal customer data from accounts, which may include payment card information, names, addresses, phone numbers (among other data), can be sold on the dark web and/or used in follow-on phishing attacks to elicit more sensitive information. More and more often this data is being used to commit identity fraud.

Similarly, credential stuffing is on the rise. By using data collected from breached loyalty card accounts, cybercriminals can attempt, with the help of sophisticated automated tools, to access other accounts where users may use the same combination of details.

The Answer: Protect the Data

So, where should organizations begin when protecting their loyalty card programs? First, organizations must recognize why it’s so important to protect loyalty card data. From reputational damage to loss of income, it’s evident that the effect of a cyberattack on an organization’s loyalty program can be catastrophic. Ultimately, prevention is better — and more cost effective — than a cure.

Organizations must assume that a sustained attack is just a matter of time. Therefore, it’s important that organizations adopt a data-centric approach to security. Protecting customer data doesn’t equate to just guarding it with strong perimeters around data repositories containing data at rest. It also means applying protection directly to the data itself, in motion and at rest. Data-centric security methods such as tokenization and format-preserving encryption obfuscate sensitive data elements while enabling organizations to work with data in its protected state.

A multipronged defensive strategy incorporating both traditional controls as well as data-centric protections is the right course of action for the business and is the right thing to do for all customers to encourage their loyalty to your business.

Erfan Shadabi is a cybersecurity expert with data security specialists comforte AG, where he works to help organizations identify and understand cybersecurity risks to allow them to make better and more informed business decisions.