For starters, cancel the booking and redeposit the miles or credit the form of payment. The ticket would be in the name of the perp or one of their friends (or some random person who wouldn't even know they had a ticket, and thus wouldn't miss it when it was cancelled). If they can positively identify the perp, which seems likely from the records of lounge access and flight itineraries (if it happened at an WC computer), further action such as closing their WP account might be a possibility.