Last Saturday I had a few idle minutes and decided to clear out the junk email under the Promotions tab on my Gmail account. It was lucky I did, because I found an email from Hilton telling me that there was points redemption activity on my account:
I knew immediately that something was wrong. I hadn’t booked a points stay with Hilton since last May. I logged onto my Hilton account to see what was going on. There I found that someone had used 60K of my points to book the Hilton Chicago for that night. I tried to cancel the stay, but the system told me that the time window for cancellation was over.
Hack 1: 60K Points Stolen
I was sure that my account had been hacked. I checked my account details to see if the hacker had changed my email address, home address, or phone number. No, it was all there with my original info. I quickly deleted the stored credit cards, just in case. And I updated my password for good measure.
I called Hilton’s customer care line and told them what happened. The agent asked for the reservations confirmation number, which I gave her. Then, before she could proceed with the call, she asked me for my email address in order to confirm my identity. She said, no, that didn’t match. Then she asked for my phone number. Again, it didn’t match. It turned out that she was looking at the email address and phone number on the reservation rather than on my account. The points thief had put a different phone number on the reservation (I don’t know for sure that it was a guy, but that’s what I imagined), along with an email address that looked a lot like mine, but wasn’t.
After verifying my identity against the info stored in my account, the agent put me on hold to investigate. When she returned to the line she said that the booking had been made by phone. She said that the Hilton employee who took the reservation had gone against procedure and would be re-trained. They should have sent an email verification to me first before agreeing to put a different email on the reservation. Plus, they should have sent a copy of the booking details to the email address on the account, but it was only sent to the email address on the reservation. It was lucky that Hilton had sent me the point redemption verification email!
The phone agent was able to work with the hotel directly to cancel the reservation and return my points. All was well again. Or so I thought…
Hack 2: 280K Points Stolen
The next few days were busy and I didn’t check the Promotions tab in Gmail at all. That was a mistake. On Tuesday, I was sitting in the DCA Delta SkyClub about to return home from a short trip when a message popped up on my phone saying that it was time to check in to the Hilton Chicago O’Hare Airport.
Wait, what?! This points thief loves Chicago.
I tried and failed to log into my Hilton account to see what was going on. Oh, crap…
A bit frantic, I called Hilton Customer Care. This time the email on my account didn’t match. Neither did the phone number. The jerk had somehow changed all of the contact info on my account. While the first phone agent stayed on the line, I was transferred to a special security department to verify my account. Luckily they were able to verify me… eventually. The security guy was also able to fix my email address and reset my password. Now I was able to get back into the account. Once there, I restored my phone number to the account.
Now that I could get into my account, I could see that 280,000 points were missing. There was no indication though of what was done with those points. Nothing was shown under reservations or under “all points activity”. Back now on the phone with the original agent, she opened a ticket to investigate the incident and to hopefully restore my points. She also froze my account so that points can no longer be used until the investigation is completed.
Waiting for resolution
Now I’m waiting. I’m waiting for my points to be restored and hopefully for Hilton to improve their security so that it can’t happen again. The latter is most important in the long run. With all of the data breaches that have happened, our personal information is out there. There’s no putting that genie back in the bottle. And as long as phone agents grant access to accounts by verifying who you are with that same personal information, it’s all too easy for thieves to do what they did here.
While I wait, I’ve been refreshing my AwardWallet account balances daily. Some programs are even more lax with account security. Those can be hit any time as well!