Free rewards, exclusive discounts, VIP perks – it all sounds like a great deal. However, when you join a loyalty program, you’re giving more than you’re getting. These programs don’t just know what you buy – they know who you are and where you live.
From your email and phone number to your shopping habits and even your real-time location: loyalty programs collect it all.
Unfortunately, malicious hackers know it too. When breaches hit these systems – and they happen more often than you think – your personal information is stolen instantly.
In the world of loyalty programs, it’s not just about rewards – it’s about what you’re giving up to get them.
What loyalty programs know about you
You’re at the checkout or browsing online, and you’re offered a loyalty program: sign up, earn points, and save money. All you need to do is provide a bit of information.
First, they ask for your email address. It makes sense – they need a way to send your points balance and those juicy offers. Your phone number is next. They say it’s for account verification or exclusive text alerts. And, of course, your home address is useful for shipping.
There’s always a few optional fields: your age, gender, and maybe even your work sector. Optional, sure – but you’re tempted to fill them in.
Once you enroll, the program starts keeping tabs on your shopping habits. What do you buy? How often do you shop? Are you a late-night online spender or a weekend in-store browser? It’s all tracked.
When there’s an app involved, it gets even more complicated. With location tracking enabled – because you clicked Allow that one time – the app knows when you visit a store, how frequently.
It all feels so normal – just the stuff you’d expect for a program designed to reward your loyalty. But when you step back and think about it, it’s a little unsettling. This isn’t just a rewards program: it’s a data collection engine. Every click, scan, and swipe adds another layer to your profile – a profile that’s not just yours. It’s theirs.
The hidden dangers of loyalty rewards
The same data that companies collect to reward you becomes a goldmine for cybercriminals when those systems fail to keep it secure. This isn’t just theoretical. It’s a well-established scheme that unfolds step by step, with your personal information at the center of it all.
The whole method looks somewhat like this:
- Step 1. Hackers breach poorly protected loyalty program data, or companies themselves sell it
- Step 2. Data is leaked or shared on underground data markets
- Step 3. Scam centers purchase bundles of phone numbers, emails, and personal info
- Step 4. Scammers use the data to target victims, stealing money through phishing, fraud, or scams
You get a suspicious call claiming you’ve “won a prize” or a text pretending to be from your bank. The message feels just convincing enough to make you pause. Have you ever wondered how they got your number? There is a high chance this is how.
All while you’re feeling good about that free coffee or $10 off your next purchase.
50 million accounts breached in the US in 2024
Data collected using the Cybernews personal Data Leak Checker, which aggregates information from publicly available breach sources, paints a troubling picture of the scale of data exposure in the United States.
While not all breaches stem directly from loyalty systems, the sensitive information they store – such as emails, phone numbers, and purchasing behaviors – makes them particularly vulnerable.
Recent findings reveal that 5,708,9913 email addresses, 119 websites, and billions of phone numbers have been exposed in the US-based breaches. That's in 2024 alone.
Alarmingly, one in three service industry companies has experienced breaches: a clear sign of how widespread and under-protected these systems remain. Cybercriminals exploit weak defenses to steal sensitive details: emails, phone numbers, and even reward points, and they use tactics like credential-stuffing to infiltrate accounts.
This isn’t just a US problem.
Globally, loyalty systems in countries like France, India, and Germany face similar challenges. Millions of consumers are exposed to identity theft and fraud.
Country | Email breach data (Q1-Q3 2024) |
France | 16,676,758 |
India | 13,056,091 |
Germany | 11,454,178 |
Brazil | 7,673,011 |
Italy | 6,556,543 |
UK | 5,373,986 |
Poland | 3,776,691 |
Spain | 3,371,482 |
Australia | 3,054,178 |
Canada | 2,967,525 |
Stolen personal data is combined with other leaks to open fake accounts, drain loyalty balances, or craft targeted phishing scams that are difficult to spot.
Loyalty cards and gift cards that can hold money are also popular among scammers, as they can redeem the balance without drawing any suspicion from banking regulators. If your details have been hacked, scam call centers will definitely attempt to swindle you out of your money.
For businesses, the consequences go far beyond financial losses. Data breaches erode consumer trust – a commodity that, once lost, is nearly impossible to rebuild.
How to protect your data from loyalty program breaches
Waiting for private companies to introduce stricter privacy measures or for the government to start regulating loyalty programs are not viable options when your data is at risk here and now.
You can’t control the system but you can control how you engage with it.
There are safety measures you can take to reduce the chance of your sensitive data leaking or to minimize the damage in case of a data breach.
Avoid sharing personal information when possible
Loyalty programs usually do not require highly specific personal information to sign up. Unless you’re required to provide your phone number or verify your identity by showing your ID, you can make up a whole new identity just for the rewards program.
Not giving your real name is one way to do it. Another is to have an email alias specifically for loyalty programs. You can create an email or take advantage of some services’ email alias features. For example, Google Workspace allows you to create several aliases, and password managers, such as NordPass, also have an email masking feature that permits aliases.
I highly recommend getting an email alias, as it’s handy when subscribing to newsletters and loyalty programs and helps prevent your true email address from leaking in case of a data breach. That, in turn, will help you avoid phishing emails or hacking attempts.
Don’t wait for late breach announcements
Companies usually notice a data breach way too late. They’re also not very keen on sharing when there’s been a leak concerning their customers.
However, you can monitor your data yourself and take action if you find something suspicious. There are various tools that can help you with it.
Cybernews Data Leak Checker was designed just for that purpose. All you need to do is enter your phone number or email address and it will scan the web to see if that data shows up in any of the suspicious websites.
If you find that your account details have been leaked, you can change passwords, add 2FA, and overall safeguard the affected data.
Another way to find out if your data has been compromised is to take advantage of dark web monitors – usually available with advanced password managers and VPNs like Surfshark. The service would scan the dark web and notify you if your details are leaked or up for sale.
If you regularly check your personal accounts for leaks, you won’t be caught off guard if a data breach happens. You can take action to protect your sensitive information before malicious agents exploit it.
That way, even if you can’t create an alias for your rewards program, you would at least be able to protect your most important accounts.
Secure your accounts
Making it difficult to access your accounts, even in the case of a data breach, is another way to minimize the negative impact. If it’s impossible to create an alias in order to subscribe to a loyalty program, then make sure the personal details that are linked to it are protected.
This can be achieved through a variety of means:
- Enable multi-factor authentication. Setting up hurdles for logging in can help prevent malicious hackers from accessing your personal accounts in case of a data breach or a successful phishing attempt.
- Do not give personal information over the phone. If your phone number has leaked, you may encounter an increased number of scam calls and message attempts. Do not give any personal information to callers, no matter who they say they are. In fact, try not to engage at all, as any contact would register your number in their systems as active. Your device might have a function to filter some scam calls and messages, and there are apps that can help to some extent, too.
- Change passwords regularly. Never use the same password for any of the reward programs as you use on your other accounts. For all sensitive accounts, make sure to regularly change passwords. A password manager – even a free one as long as it’s reliable – can help you keep your passwords safe and regularly updated without you having to memorize them all.
To summarize
There are no regulations or financial incentives for businesses to protect their clients’ loyalty program details. When you sign up for it, you agree to the company’s terms, and more often than not those terms benefit the company more than the customer.
Due to the sheer extent of data collected, it’s simply not financially beneficial for businesses to invest in watertight cybersecurity systems. Why spend more when the risk of backlash is low? That’s how we end up here: with tens of millions of data leaks in a single year.
Each of those leaks exposes millions of customers to increased scam activity and hacking attempts. While a data leak itself might not have any direct negative impact, what malicious agents can do with that data certainly will.
Luckily, there are ways to detect vulnerabilities and take action to prevent the worst outcome. If you are proactive at monitoring your account safety, you might not need to give up loyalty programs completely.
Methodology and sources
We based the information in this article on depersonalized Cybernews Data Leak Checker data between January and October 2024. This data is constantly updated but is completely anonymous, so we can only see the numerical value of emails and websites affected.
Additionally, we investigated the methods of how scammers get access to people’s emails and phone numbers and checked the National Security Agency (NSA) official website for advice on how to protect data in case of a data breach.
Your email address will not be published. Required fields are markedmarked