Aeroplan, PC Optimum grapple with points theft as thieves drain accounts, book flights

Loyalty programs Aeroplan and PC Optimum have both recently been hit with multiple cases of points theft. PC Opimum is now introducting tougher security measures for members.

PC Optimum has announced new security measures including stronger password requirements

Christina Rayburn in Hamilton was surprised to learn that a thief had stolen her Aeroplan miles and used them to book a flight. (Submitted by Christina Rayburn)

Points thieves are on the prowl.

Loyalty programs Aeroplan and PC Optimum have each recently been hit with multiple cases of points theft. Flights have even been booked using stolen Aeroplan miles.

"I was blown away," said Christina Rayburn, after discovering that someone had swiped most of the miles from her online Aeroplan account and taken a trip.

"The fact that they were able to do that kind of concerns me."

Cyber thieves are going after Canadians’ stockpiles of lucrative loyalty points. (CBC)

Cyber thieves are increasingly targeting Canadians' stockpiles of lucrative loyalty points — PC Optimum has dealt with points theft since the program launched in February.

Some cybersecurity experts say rewards programs need to beef up security to help protect members.

So perhaps it's no surprise that PC Optimum has just launched stronger password requirements, and plans to soon roll out two-step authentication when members try to access their account.

Toronto-based cybersecurity expert Ritesh Kotak applauds the move.

"Start treating these points cards with the same security that we use for online banking," he said. "Until we do that, we're going to keep seeing these issues popping up."

Flying off with stolen miles

Aeroplan member Rayburn, who lives in Hamilton, noticed something was amiss on July 13.

More than 100,000 points had been hijacked from her account, and a new name, email and contact number had been added — all of which she didn't recognize.

"I was a little freaked out."

She called Aeroplan and discovered her stolen points had been used to book a round-trip flight. The travel rewards program didn't reveal the route.

Rayburn did learn that the outbound flight had already been taken. Aeroplan was able to cancel the return trip, and refunded her points the following day.

"They apologized profusely," she said. "Obviously, they recognized a pattern."

Former Newfoundland and Labrador politician Steve Kent discovered that thieves booked two flights using his Aeroplan miles. (Sherry Vivian/CBC)

Back in May, former provincial Newfoundland and Labrador politician Steve Kent discovered that two separate domestic flights had been booked using close to 100,000 of his Aeroplan miles. The tickets were in names he didn't recognize.

Fortunately, Kent was able to cancel them before takeoff.

"I was obviously surprised that my account had been compromised and concerned that somebody could actually get that far using fraudulent means," he said.

Aeroplan didn't provide any specifics on Rayburn or Kent's cases except to say that it has returned their points.

"A very small percentage" of the program's members have been affected by recent points theft, said spokesperson Christa Poole in an email.

She said the thefts are often the result of a member's account being compromised due a weak password, using unsecured networks, or phishing scams where people are duped into clicking on a link and divulging sensitive information.

Poole did say that Kent's case was likely the result of him using an unsecured network.

"Blaming a loyal customer for their weak security practices is not a good business strategy," Kent said in response.

Aeroplan defended its security practices.

"Protection of member information is our highest priority at Aeroplan and we have security measures in place," said Poole.

The program has also posted tips for how members can protect their accounts, including changing their password frequently and avoiding using unprotected Wi-Fi networks. 

PC Optimum gets tough

After a string of points thefts, PC Optimum's owner, Loblaw, advised back in March that "strong, unique passwords protect personal information and points."

The thefts continued. Loblaw declined to provide a current tally of victims.

More than 60 PC Optimum members have reported they've experienced points theft, one of the most recent being Suzanne Soto-Davies in Burlington, Ont.

Suzanne Soto-Davies in Burlington, Ont., had 250,000 PC Optimum points stolen from her account, worth $250. (Larissa Soto)

According to her account records, on July 8, a thief spent 250,000 of her points — worth $250 — at two Loblaws grocery stores in Quebec.

"You automatically feel violated," said Soto-Davies, who says she got her points back after reporting her case.

"They had apparently broken into my password."

PC Optimum requires all members to adhere to beefed-up password requirements by Aug. 31. Two-step authentication will be added in the coming months.

"We're always looking for ways to help protect our members' accounts," said spokesperson Catherine Thomas in an email. She said the changes are part of "ongoing security enhancements."

Cybersecurity expert Kotak says it's hard to catch a cyber thief who can hide their identity online, so prevention is key to fighting off fraudsters.

"These are your points. You've gone out, you've spent real money," he said. "Several mechanisms need to be put into place to ensure you don't become a victim."

About the Author

Sophia Harris

Business reporter

Sophia Harris has worked as a CBC video journalist across the country, covering everything from the start of the annual lobster fishery in Yarmouth, N.S., to farming in Saskatchewan. She now has found a good home at the business unit in Toronto. Contact: sophia.harris@cbc.ca