Posted on | by news-summaadvisory

Why Loyalty Databases are Targets for Online Thieves

Value, Utility and Stability makes your loyalty currency as valuable as money

Loyalty Equity is a Fiat Currency

People compare loyalty points and miles, i.e., the equity they accumulate through participation in loyalty programs, as equivalent to currency, a/k/a real money.

Research the Wise Marketer has conducted with Engage People indicates the utility of that currency matters to customers who are loyalty program members. The more flexibility they have in using the currency across channels of commerce, the more value they attach to the currency. That value is akin to “goodwill” on their mental balance sheet as it raises the perceived value of the points/miles/stars earned.

In other words, a 1% rebate redeemed as pure cash back in the form of a statement credit doesn’t generate much mental goodwill. Points redeemed as part of the checkout process in the shopping cart of your favorite ecommerce merchant serve up a dopamine hit to the consumer’s perception of the loyalty program.

It is not a stretch to define high-quality loyalty currency in the same way the market defines Stablecoins. Visa explains Stablecoins this way:

  • “A type of blockchain-based token designed to maintain a stable value, typically by being pegged to a fiat currency like the U.S. dollar or the euro and backed by reserves of cash or cash-like assets.
  • Unlike other forms of crypto, which are speculative and can have large swings in price relative to fiat currencies, stablecoins aim to remove that volatility and are built for utility — like sending money to a friend, paying for something online or even saving for the future.”

If your loyalty currency has clearly understood value, high utility, and stable value, it will also have high perceived value by your customers. Add to that the power of a popular brand and your loyalty currency merits the “thoroughbred” label.

If you agree that loyalty currency is a breed of fiat currency, then you will understand why that currency and the customer data associated with it have become desirable targets of fraudsters and online thieves.

Customer Loyalty Databases are Hot Property for the Bad Guys

Our research shows there have been at least eight unwanted incursions into customer databases since 2022. Each brand listed below operates a loyalty program, and in most cases the data exposed was partially or fully related to the loyalty program membership.

There are more we could add to the list, but we chose to share data-breaches associated with well-known brands and which made headlines at the time.

  • Air France/KLM (2025)
  • Qantas (2025)
  • The North Face (2025)
  • Krispy Kreme (2024–25)
  • Chick-fil-A (2022–23)
  • MGM Resorts (2023)
  • The Good Guys → My Rewards/Pegasus (2023)

Looking just at 2025, here are some details of each breach:

  • Air France / KLM (Flying Blue) reported unauthorized access via a third-party contact-center platform which exposed names, contact details, Flying Blue numbers & tier, and email subject lines. No passwords, cards, passports, or miles were said to be impacted.
  • Qantas reported a breach of a third-party call-center platform which exposed personal data including frequent-flyer numbers. No payment or passport data was stored there.
  • The North Face (VF Corp) reported a credential-stuffing attack on thenorthface.com resulting in customer-account data exposure. It’s relevant as the company operates a robust rewards program.

Several of the companies on the list publicly reported a breach or security incursion which explicitly involved loyalty identifiers or accounts (e.g., Caesars Rewards, Flying Blue, Qantas Frequent Flyer, Chick-fil-A One, The Good Guys’ loyalty program). It is common that brands operating loyalty programs blend general customer data with loyalty identifiers. Whether the attacks were aimed at the loyalty data or considered it an incremental “benefit,” we do not know.

Data Loss Causes Threefold Damage

While a negative impact to consumer confidence may be the most enduring form of damage resulting from a data breach, there is a threefold set of tangible damages to consider:

  • Economic loss (legal, administrative, PR costs plus occasional ransom paid)
  • Operational disruption
  • Decline in market capitalization

In one of the most visible data incursions, MGM Resorts experienced about 10 days of property disruptions impacting reservations, slot machines, ATMs and POS in 2023. SEC filings quantified the loss as an approximate $100M hit to Q3 Adjusted Property EBITDAR. The company reportedly later paid $45M to settle class-action litigation related to the incident.

In the 2023 data incursion at Caesars Entertainment, a loyalty database was copied which included driver license numbers and social security numbers for many customers. Caesars reportedly paid $15M ransom. Operations were unaffected in contrast to the MGM experience.

The Impact on Loyalty Technology Providers

Loyalty tech providers are rarely named in the public disclosures of brands experiencing data breach, but there are a few examples:

  • The 2011 mass email breach at Epsilon exposed client mailing lists for dozens of major brands including Marriott Rewards and Ritz-Carlton Rewards. This incident is dated, but considered to be one of the first documented incursions into large customer databases related to loyalty and CRM ecosystems.
  • Annex Cloud reported that in 2017–2018, a code issue led to data capture affecting Stein Mart customers. Litigation transcripts from 2019 provide additional information.
  • In mid-2025, a series of coordinated intrusions targeted the Salesforce environments of multiple high-profile companies, including Adidas, Cartier, Google, Louis Vuitton, Dior, Chanel, Tiffany & Co., Qantas Airways, Air France–KLM, Allianz Life, Cisco, Pandora, and others. The incidents involved social engineering of customers and partners. Salesforce says its platform itself wasn’t breached.

The loyalty marketing community should be concerned with the protection of valuable customer data and the management of all aspects of data intrusion into customer loyalty databases. Inevitably, this is a high priority, but the industry talks more about fraud prevention than data protection.

A battle of syntax? Maybe. But having just returned from the Loyalty Summit Americas, there was little evidence that these topics were treated as headline material, though it was broached in the conference wrap-up panel.

The Loyalty Security Alliance (LSA) is one industry group taking the lead on loyalty fraud, and I imagine that Data Privacy and Protection is implied in the fraud topic.

A Call to Action

It’s time for the Customer Loyalty and CRM industry to create a working group to address these critical topics.

Just yesterday, The Wise Marketer hosted a panel discussion on the subject “The Intersection of Loyalty Data, Privacy and Personalization.”  Moderated by Phil Rubin, Founder, Grey Space Matters, we had three loyalty and security experts coming together to discuss all aspects of this topic.

Participating were Bill Swift, Chief Technical Architect, Capillary Technologies, Piyush Kumar, Chief Technology Officer, Capillary and Jodi Daniels, Founder, Red Clover Advisors. The video discussion will be released soon, so keep an eye out for the announcement of that premier. In the interim, if this topic is important to you and you are interested in discussing the formation of an industry working group to create consolidated viewpoints that can be leveraged by regulators, legislators, and lobbyists, contact us here.