Reader Question: Has Anyone Else Had Their IHG Rewards Club Account Breached?


A LoyaltyLobby reader dropped me an email about IHG Rewards Club account breach and the reader was also wondering if this has happened to anyone else?


Remember that you can always email us, send a message via Facebook or use Twitter and include photos too. We’ll try to cover Reader Questions & Comments here several times a week.

You can access IHG Rewards Club here.

READ MORE: IHG Rewards Club Rate & Bonus Points And Miles Promotions

Here’s the email from the reader:

I am not sure if you or any of your readers can help. I recently had a fraudulent transaction on my IHG club member account. I am a platinum elite member.

On January 17th, I received an email saying “thank you for updating your account”. I didn’t pay too much attention to the email initially but after a while I saw that my points had gone down significantly. After checking at my previous account status, I saw that 71,000 points were missing.

I called customer service and the person on the line –most likely from India due to the accent – said to me that there was a fraud because my account stated that I was based in China and I am based in Seattle. She said that she will close temporarily the account until there is some sort of verification and feedback on the transaction.

Three weeks later, my account is still suspended with no much news on when it will be reopened and the points reversed.

Of course I emailed the customer service multiple times and being rather nasty latterly as they do nothing about it. The last email was the most alarming send on February 1st.

Here it is:

Your current account is being reviewed and rest assured that we’ll recover all your points that were redeemed without your permission. Once the redemption transactions on your account were proven as fraud, all your restored points will be transferred over to your new account if you’ll chose to have a new one. But, there is nothing wrong if you want to keep your current account. Just provide an alternate e-mail address for security purposes.

I look forward to receiving your reply.

Kindest regards,

What does it mean? That they haven’t yet decided that I am NOT the one who made the transaction? And why while being investigated I can use the account with a different email? I don’t want to provide another email while it is not clear what happened.

First email sent on January 27th after asking for information regarding this issue and hot having heard from them for 9 days:

Greetings from IHG Rewards Club! My name is …. and I’m happy to help you with your Platinum Elite account.

I’ve checked your account and we’re still currently waiting feedback from our specialist with regards to your account issue. I kindly ask for your patience and understanding regarding this matter.

Rest assured that feedback will be sent once they provide us a response.

Thank you for your email. Let me know if there’s anything else you need–I’ll be happy to help.


Email sent on January 31st:

Thank you for your email.

I’m so sorry for the inconvenience this has caused you and I understand the disappointment you felt on this matter. Our contacts are still making the necessary investigation about your concern and once it gets resolved, rest assured that the lost points will be credited back on your account.

In the meantime, may I ask if you want to have a new account (please provide your preferred account information for enrollment) or just change your email address on file, yet we will be needing your new email address. This is because I want to make sure that this incident won’t happen again in the future.

I look forward to receiving your reply. If you need anything else, feel free to let us know – we’d be happy to follow up.

Have a pleasant day. Take care.

Second email sent on January 31st:

I’d like to thank you for taking the time to reply and I hope you’re doing well.

I understand your sentiment, however, please be advised that our specialists are still reviewing your account, as such, we can’t proceed until we receive a feedback. In the meantime, I’d like to ask for the following information for verification:

• Original Mailing / Postal Address
• Original Telephone Number
• Original Email Address
• Hotel Name And Check In Date Of Most Recent Stay

If you need further assistance, let us know by sending us an e-mail to

I find this rather strange. They don’t know my contacts details?

Has anyone had a similar problem with IHG? I wonder if there is another service or an executive to contact and by pass customer service?

What it takes so much time to get this “feedback” and who is getting this feedback in any case? I remember that years ago when I was living in London, my bank account had a fraudulent transaction for about 1000 pounds. It took Barclays 2 weeks to put the money back to my account and they apologized many times for the delay. If a bank reverses the money in just 2 weeks (and admittedly they could have done it earlier), why a hotel membership club can’t just deal with unauthorized points used faster and more efficiently? They knew from day 1 that there was someone in China based on the customer service rep.

It is really unfortunate that IHG doesn’t seem to care enough to make the decision to move away from using four digit PINs that are inherently not secure enough to guard anyone’s account.

Yes. These account takeovers happen everyday and there are underground markets where breached accounts are sold for cash. Usually, the person who hacks the account is not the one who clears it from the points by selling the award nights to third parties or uses the points for merchandise that can be later exchanged for cash.

The reader should call the IHG Reward Club during the US business hours and ask to speak with the Customer Relations and escalate until someone in the Salt Lake City picks up the call. Seems that IHG’s Customer Contact Center in the Philippines is not handling this case very efficiently.


You would think that someone at the IHG would have looked at this issue already years ago and decided that they must act upon and yet here were are still using four digit PINs and accounts being taken over?

If they decide not to do anything, at least they could act swiftly by restoring the account access for members whose accounts have been affected? Shouldn’t bee too difficult, right?