A LoyaltyLobby reader gave us a tip that a Nordic hotel chain Scandic, which at one point was part of Hilton and still manages three Hilton hotels in Finland, has been affected by a hack.
It appears that fraudsters have used automated bots to break into Scandic Friends accounts with weak passwords and then used points towards gift card awards (easy to resell).
You can access Scandic here.
Here’s the statement from the Scandic spokesperson:
In the mid of February our, IT security department discovered fraudulent activity involving our loyalty program. Only a small number members were affected and the purpose of the fraud attempts was to obtain a few member’s points to buy gift cards in our point shop.
Our IT security department has acted quickly to identify and stop the fraud attempts and passwords and trace the attempted fraud to various foreign IP addresses. In the cases where the perpetrator has committed fraud attempts, information such as members’ names and order history may have been accessed. No information such as encrypted credit card information or employee data has been affected.
The few affected members have been contacted and the incident has been reported to the Swedish police.
We have also further increased our security in collaboration with our IT security provider and introduced more complex security requirements for passwords and decided to implement planned IT security solutions ahead of schedule to further strengthen the overall security of the loyalty program.
Conclusion
It appears that the hackers didn’t breach Scandic systems inside like what happened with some other hotel-related hacks but rather tried to get access to member accounts by guessing their passwords using automated tools.
You should always use complicated passwords, and loyalty programs should have two-factor authentication in place for third-party merchandise awards that are more often fraudulent.
