Travel-related websites have been hit hard with data breaches over the past few months, with hackers infiltrating more than 20 sites. Two of them were United Airlines and American Airlines, TechWorld reports, and it’s not necessarily your personal information the hackers are after. These guys want your miles. 

Miles Good as Cash 

Gaining access to airline reward and loyalty cards is nearly as good as cold, hard cash, according to online security expert Alex Holden. He says criminals can use stolen reward points to buy airline tickets, and then sell those tickets for cash. They can also exchange stolen miles at sites like, where they can redeem them or use them to buy gift cards. 

The United Airline breach involved 36 MileagePlus loyalty card accounts, where hackers gained entrance by reusing login information they found elsewhere. The American Airlines attack involved 10,000 passenger accounts, two of which were used to schedule free travel or a travel upgrade. Both airlines said the usernames and passwords were not obtained through the company sites, but rather from other sources. 

Holden doubles as CTO of Hold Security, a firm that monitors illegal trade and alerts companies if their data is discovered. His company regularly spots lists containing travel-related login information for sale. Other means of obtaining travel-related information is by hacking into travel agencies. 

Holden and crew can frequently determine where the information came from based on website structures, file names and types of data in the stolen databases. In other cases, hackers blatantly advertise where they obtained the list to make their sales pitch more lucrative. 

Travel-related information has already become fairly lucrative, now demanding the same price range formerly reserved for information from dating and employment websites. Criminals are hot for dating site information to send spam selling products like Viagra. Employment site information can be useful for launching job-related spam, such as work-at-home scams. 

Cyber Gang 

One of the biggest thefts Holden and crew uncovered was by a gang out of Russia. Nicknamed “Cybervor,” the gang got its hands on a database packed with 1.2 billion usernames and passwords along with 500 million email addresses. More than 420,000 travel industry websites were affected, including Southwest Airlines, and Expedia.

Keep your travel expenses secure – and easily managed – with the best expense report software.

Have you addressed potential corporate travel security breaches? Share your best practices with us.


Our choice of Chrome River EXPENSE was made in part due to the very user-friendly interface, easy configurability, and the clear commitment to impactful customer service – all aspects in which Chrome River was the clear winner. While Chrome River is not as large as some of the other vendors we considered, we found that to be a benefit and our due diligence showed that it could support us as well as any large players in the space, along with a personalized level of customer care. Sally Abella, Director of Corporate Travel Harman International
We are excited to be able to enforce much more stringent compliance to our expense guidelines and significantly enhance our expense reporting and analytics. By automating these processes, we will be able to free up AP time formerly spent on manual administrative tasks, and enhance the role by being much more strategic. Ben Zastrow Zelle