FlyerTalker688786

In many hacking cases, the hacking of member account is linked to the hacking of email address. That is why victim was not able to see emails informing their change of action (e.g. pin reset or email address change).

However it is not saying that it is the same case of IHG. There is no concrete proof yet.

Yet, I must address that membership number is not enough for a hacker to get hold of your account. A PIN number and other information like email address, telephone number or full postal address is a must when you contact IHG to book award rooms. Change your email address to a complete new one would help IHG to flag its system and identify a potential hacker as the hacker is unlikely to learn your new email address so quickly. And an experience IHG customer service agent would be able to identify red flags for known compromised accounts.

IHG had not upgraded its PIN system yet. However, the customer service agents are very experienced by now on hacked account.

If your account is hacked and if you wish to keep your old number, you MUST provide a new email address that is totally different from the one you used before. This is no guarantee you would not be hacked again, but it would help IHG to add another layer of filter on your account.

Remember, the people who is selling your points or take advantages of your balance is not hackers themselves. Hackers profit from selling batches of information that contains names, membership numbers, emails, telephone numbers and addresses. The fraudsters bought these information and then took over the balance of your account. The fraudsters are not technologically advanced as the hackers so they could not and would not bother to try again once they notice you have changed your PIN and email address. If you have not changed to a new email address, the likelihood of them obtaining your email password is greater. Changing to a new email address do not stop them trying, but it does add additional layer of security.

PremExecSNA

Update: I got a call from IHG today. As the poster above noted, I had the choice of keeping my old number and giving a new email address or getting a whole new Rewards Club number.

IHG redeposited all my points and was able to cancel the Amazon Gift cards the fraudsters had ordered before they redeemed them.

In resetting my pin, I noticed all the personal information (birthday, passport info, and address/phone info contained in the account. Wow! I can only wonder where all that is now. I reiterated to the agent that they need to improve their site security and she said they are working on it... We'll see.

FlyerTalker688786

Good for you. Hopefully your new account is safe. And I highly recommend changing PIN every 3 months.

triger02

Received an email from IHG stating that my account information had been updated about 30 minutes ago. I immediately logged in to find out 260,000 points were redeemed, leaving me with 2XXX points. My address had been changed to a Japanese one, and my email address was also changed.

I called IHG and reported the purchase. I was hoping they would put a stop to the order (according to CS it was an Amazon purchase), but they told me they needed to open an investigation and would take 24-72 hours to complete.

CS was below par and did not feel they see the sense of urgency on these types of request. Perhaps this is very common?

They put my account on block and all they offered was to create a new IHG account with no status match in the meantime. I have upcoming stays and about 8 nights for next year booked on points that were not redeemed.

Fizzer

In follow up to my own case I was told they would take 4-5 business days and get back to me. After 3 weeks I contacted them. They asked me a whole slew of security questions , said they couldn't find my account ( which they had closed when I reported the hack). After 20 minutes or so they found the report and reopened the account with a new email and PIN. As a final parting comment I was asked to be more careful , as if it was my fault the account was hacked. Left a sour taste. My plan is to use the points ASAP and then change to a different chain, for what is TBH, my back up chain only.

aidanc

350K+ vanished a few hours ago. Email address change email was the trigger for me. Called and changed the email address to an unrelated one. Let's see how long the clean-up takes.

aidan

mymontreal

Wow... came to Flyertalk forums expecting that I was going to be the only one who had points stolen and would need to start a new thread...

On Monday this week I logged on to IHG as I needed to book a couple of hotel nights in Canada... I immediately notice that 70,000 points had been redeemed...

What's amazing is that the points had been redeemed THAT SAME DAY and the reservation made, was for the following day!

Called IHG and eventually they determine that a booking has been made for a hotel in the UK that same night...

Obviously explain that it's nothing to do with me and IHG agent calls the UK hotel with me on the line - eventually, UK hotel staff confirm that "I" have already checked in, for the first of 2 nights...

Not sure what happened eventually (as hotel would not not tell me...), but IHG confirmed that the guest was "apprehended" the following day and made to pay for the two nights by credit card - IHG customer service were great and they managed to credit the 70,000 points the same day (they did not open a fraud investigation...).

Two questions:

1. I'm wondering if someone had really hacked into my account, or if it was a mistake in the IHG system that redeemed points from the wrong account ?

2. When I logged into the system on Monday and first noticed the points missing, I also noticed that the email address did not appear to have been changed and I certainly did not receive any kind of email confirmation, when the UK reservation was made (I even checked the junk mail folder).

alben

My account was hacked 10 days ago. I was suspicious that something was up when I received an email that my email address for the account had been changed. Called customer service. The CS rep said that 162K points were drained from my account. "Redeemed Points 4 Order Event". She also said the phone number and address on the account had also been changed to a Japan address. The CS blocked my account . CS said that the fraud department would get back to me in about 4-5 days. The fraud department never got back to me. I called tonight (10 days later), and got everything straightened out and got 162K points redeposited. You would think they could put an additional goodwill amount in for my time and trouble.

I am in IT and am aware of security best practices. Obviously with the 4 digit PIN, IHG is negligent. I am now concerned that a hacker now has my name, address, home and cell phone numbers, email address, and birth date.

In retrospect, there were a few times in the past several months where I tried to log in but was denied. I just assumed the system was down. Now I am wondering if there was a timeout on my account from too many login attempts. So the hackers just kept trying PIN numbers against my account over several months until they finally got in. There are only 10,000 combinations with a 4 digit PIN. On average, you would only have to try 5,000 times before the PIN was guessed. Easy to do with a bot net.

To reiterate, IHG is negligent. It may take a class action lawsuit for them to wake up and get their security brought up to current best practices.

yurtripper

If they even brought up their security to best practices circa 1994 it would be a massive improvement.

I've said the same thing in this thread as you but this is IHG and nobody is listening. Maybe if 90%+ of members got their accounts hacked and drained of points they might take notice. On second thoughts, they probably wouldn't.

UKDegsy

Anyone an expert in Data Protection legislation? - IHG seem to be able to let hackers have free reign at our personal data. Just a thought.

UKD

scubaccr

IHG are fully covered. The data is legitimately provided to the logged on user of the membership account and is the members personal data.

For IHG to have failed the DPL would need hackers to access a members personal held data data directly without signing on as the member.

There is no legislation regards a duty of care on IHG regards minimum security controls on member accounts

drknapp

Well, add me to the list. Was up in Oregon and tried to log onto my account to check my points and make reservations, but couldn't login. Called customer service and they said they couldn't find my account even by using my address. I didn't have my membership number with me. He indicated I could call them with it and get credit then. I just got home, looked up my membership number and logged in. All my info had been changed to bogus stuff in China and 30,000 (I only had 35,000 initially) points had been used in October at a Crowne Plaza Hotel in Hong Kong. I am going to call Membership tomorrow and see if I can get it reaccredited. But after reading this, I think I'm going to consider using a chain with better onsite security.

In today's day and age of Hacker's, it's unconceivable that corporations as large as this doesn't have better account security. I'm surprised this hasn't hit the news agencies.

morrsue

Unfortunately, I'm adding myself to the IHG hacked group. Tried to log into my account today, it was drained of close to 80k points. The hackers changed my email address so I couldn't log on. Apparently they do not have the security to notify you when your email and mailing address has been changed. They purchased Amazon gift cards and were mailed to a PO box (somewhere.. they wouldn't tell me). The CS agent assured me they would open an investigation and my points would be returned. He was really rude, didn't seem to care at all. Now after reading all the other people on this site and others who have had the same problem, I'll be checking out of IHG. If they are this lax in their rewards program, they are not protecting my security anywhere. My entire identity can be stolen with the information they took from my account. I can't believe they have not taken this issue seriously - 4 digit security pin numbers can be hacked by a 12 year old.

minz56

I agree that a 4 digit PIN is easy to hack. However I am wondering how they are getting your Email or Member #?

As I and others have suggested, I plan to "park" my points in a Points booking to safeguard my points. Just remember to cancel them before the stay!

puchong

What is the best way to protect against such hacking? Changing passwords very frequently or some other technique?