Stolen Miles: American Airlines Requires An FBI Report

My wife found miles were stolen from her American Airlines account; to get them back American Airlines needs a FBI report.  

If you are considering booking travel or signing up for a new credit card please click here. Both support LiveAndLetsFly.com.

If you haven’t followed us on Facebook or Instagram, add us today.

Another Reward Hacked Account

There have been so many data breaches from nearly every corner of our online communities that it’s no surprise an account gets hacked. With somewhere around 60 loyalty account balances (and their incessant emails), we are certainly exposed and it’s no surprise that we aren’t as diligent about monitoring our accounts or updating old emails on them.

My wife logged into her American account to find a mileage balance of just 65 miles and an obvious case of a compromised account. After the initial shock, she began checking the account to see how she could have missed this. She received an email of a change to her account and located the email address they changed on her account. After some searching, she found the email sent notifying her of this change made several months ago.

As with any situation of this type, the responsibility falls squarely on us – it is our duty to monitor for security issues. Was the account hacked or was it a matter of our personal information traded on the dark web in which case account security is mostly our responsibility?

I’ll offer one note on this front. Loyalty programs send an excessive amount of offers via email. Around 99% of them do not interest us at all, but for the 1% of the time that something is absolutely perfect, we acquiesce to deleting the vast majority as we watch for something just right.

My initial response is that we should unsubscribe from all emails reducing the junk and allowing us to more clearly see where there’s a concern. If airlines like American wanted to stop customers from leaving the email list and reduce the cost and time spent recovering compromised accounts, perhaps when an account email is changed, make it double opt-in with a clickable link to the prior email address confirming the change. If the link isn’t clicked, the email doesn’t change. Two-factor authentication would also solve this issue but can be a pain and adoption among some users lags.

Loyalty programs have seen an uptick in compromised accounts over the last year and the situation is only getting worse.

Following the Process

For compromised accounts, American Airlines offers an Aadvantage phone number open 8a-8p Monday through Friday. Speaking with a representative, some security questions are asked and my wife was able to confirm her identity.

The representative then begins the process of analyzing genuine redemptions out of the account vs stolen.

This one was pretty easy. The passenger name was listed, flying from Dallas to Colombus. They redeemed 12,500 Aadvantage miles for a standard coach award. They had changed the email address close to the departure date, booked and traveled the flight right away, and went undetected for months after. It’s possible that even the incredibly diligent could have their account email address changed, an award flight booked, and even flown before the account holder could notice, for example, if they were on a trans-Atlantic flight or simply sleeping.

The representative went through the procedures, identified and confirmed the fraudulent activity, created a new account, locked the old account, and requested an account merge which can take 30 days. It’s important that her millon-miler progress and history as a customer transfers to her new account.

But then to the matter of the 12,500 miles we’d like back. Of course this isn’t a ton of miles, but from time-to-time, flights to New York from Pittsburgh can exceed $500 but are still available for redemptions at 5,000 miles each way – an unlikely surprise value on a per point basis.

American Airlines procedure to recover the miles – even just 12,500 – is to file a complaint with the FBI and submit that back to the airline.

Initially, I thought the added impediment was solely to slow claims, the airline assuming most won’t bother. However, American included a link to file the report, and even provided some of the information needed (assigning a value of $125 to the 12,500 miles.) The instructions were clear that a PDF must be submitted in order to recover the miles and outlined that process.

Some of the questions are the FBI complaint were confusing, but after a few extra minutes it was completed. If and when she sees those miles return to her account will be another matter.

This Seems Egregious

We have had three accounts compromised for which we are aware. I had a Hilton account compromised a couple of years ago and even though I was right on top of that incident, I still have problems logging in years later. I reported on my compromised Alaska Airlines account a few months ago.

In both cases, the miles/points were immediately replaced following securing the account rigorously (I have to call-in to Alaska moving forward.) If we assign the same 1¢/point value to the Alaska miles (they are worth far, far more than this) it would have been more than $1,500 in stolen points using the American Airlines’ FBI report method. Hilton at half that amount would have been even higher at $2,000 stolen.

For 12,500 miles, it seems egregious. Obviously, other carriers are not as zealous and neither of us have any confidence that something will actually be done to the traveler with the FBI report. It may have something to do with American’s own insurance policy. And there’s no evidence that the traveler was party to the theft so I really don’t see the point. Further, it frustrates customers who are particularly stressed at a moment of vulnerability and likely stacks another digital file on a FBI station somewhere.

If the theft was more substantial, I can understand the need for this process. It wouldn’t be hard for a bad actor to generate this process as a little mileage minting machine.

That said, miles and points are literally made-up. They have tremendous value if used properly, or no value at all if they expire. Industry documents have shown that loyalty programs as a whole are in the 90%+ margin range. The marginal cost for an airline to award an economy seat on a domestic US flight is less than $5, long haul business class has been estimated at less than $35. Award seats booked close-in are for flights that would otherwise fly with empty seats meaning that this specific case (because it was booked so close to travel) is not replacing a revenue passenger that would have occupied the seat.

My point is that the airline, to make a full replacement of the miles, stood to lose less than $5. I could go further into the cost American Airline spent to come up with such a policy, the implementation, the evaluation of returned FBI reports, customer service time on the phone to explain the procedure – in aggregate, it costs them far more to implement its FBI report policy than to simply be magnanimous.

Conclusion

In the end, American will replace the miles, so the thief didn’t steal from us as much as they stole from American. One could argue that poor monitoring of the account was in part to blame when the email address was changed. But it’s impractical to believe that customers are going to be receptive to every email especially when the company drowns them in marketing. If the policy will be to replace the miles anyway, then what really matters is how your clients feel at the end of the interaction. After such a violation of privacy (think of all the information stored on your Aadvantage account) members are already stressed and it seems petty and unnecessary to require this when the rest of the industry does not.

What do you think?