Some links to products and partners on this website will earn an affiliate commission.
IHG Rewards Club has long been criticised for its weak security measures – the only password required to login to an account is a 4 digit pin, and you can combine that with either the membership number or email address. In an age where the average aspiring cyber criminal has more processing power in their back pocket than most intelligence agencies did just a few decades ago, a simple 4 digit pin is clearly asking for trouble. When you ask for trouble, it almost always shows up, and in this case that means more IHG accounts hacked by criminals.
Reports on Flyertalk of hacked accounts and fraudulent Points transactions go back years, but the issue seems to be particularly bad right now. Indeed, my favourite Singaporean travel blogger The ShutterWhale just had 339,500 IHG Rewards Club Points swiped from his account this week!
He only noticed because he saw the transaction pop up on his AwardWallet account, which is a good reminder to keep a close eye on your Points and AwardWallet can certainly help with that.
IHG Points are valuable and can be turned into gift cards etc (admittedly at such a poor rate that I almost feel sorry for the crooks!), which are effectively cash equivalents, making large balances a tempting prize for hackers.
At some times my IHG Points balance has been at a level I would easily value in the £1,000s and I know some business travellers have balances way beyond that. Few people would think it a good idea to put thousands in a bank account that had such poor protection, but with our IHG Points we don’t have a choice.
This isn’t intended as an anti-IHG rant (if you want one of those, just ask me what I think about the new website 🙂 ), but constructive criticism. It’s obviously only because I value IHG Rewards Club Points that I care about whether they are secure or not – and introducing a more advanced password system really isn’t a huge ask in 2018.
Bottom line
Check your IHG account now and take good care of your Points and Miles in general, even if the companies themselves don’t always make it easy.
Let’s, perhaps, not take things too far though – my brother managed to lock himself out of his SPG account for weeks after they introduced their new multi-level login protection!
Have you ever had Points stolen from one of your accounts?
I noticed this myself around the time the same time HHonors accounts (which also had woefully poor security) were being sold on the dark web (http://viewfromthewing.boardingarea.com/2014/10/24/stolen-frequent-flyer-miles-sale-darknet/)
I had my account hacked! It took 4-5 hours to resolve and months of chasing. They offered 5000 points as compensation. Tried to speak to managers multiple times in the rewards department who just pass your call on purpose back to customer services. I’ve given up with IHG, security is too poor. My points were used for hotels in Thailand
Sorry to hear that Andy! Unfortunately, I can’t say I’m hugely surprised to hear that IHG’s customer service added insult to injury. I find IHG to be good when everything goes smoothly, the Points promos are good, and they have some hotels I really like, but central customer service is normally poor – and compounded by bad IT.
Unfortunately there’s not much to be done. Regularly changing a PIN doesn’t particularly help much. If your account gets targeted by brute force then you are screwed. Once the bad guys are in, they don’t wait around before cashing out whatever they can. All you can do is catch it quickly and start the headaches with IHG customer service.
Keep your account number private and use a modified, IHG-use only Gmail address perhaps?
I don’t understand how IHG are getting away with this 4 digit PIN absurdity. Here in the UK it’s a very clear breach of data protection regs which states that BY LAW
“Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.”
https ://ico.org.uk/for-organisations/guide-to-data-protection/principle-7-security/
Quite simply IHG are breaking the law. I strongly urge everyone to report them to the Information Commissioner
Hi Janine,
I’ve quite often (admittedly, idly) wondered about that myself. It does seem astonishing that security is so slack for something that can have such value.