A recent statement from Cathay Pacific has once again brought frequent flyer mile security into the public spotlight.
Around 1,000 member accounts were illegally breached, and Asia Miles were stolen. Hackers exploited a vulnerability in two-factor authentication and used login credentials leaked online.
This is not the first time Cathay faced such an incident. According to a Yahoo report, a similar breach happened at the end of 2023.
In mainland China, airlines have implemented a “designated beneficiary” system to regulate mileage usage. Ironically, this system has become a vulnerability exploited by hackers.
Under this system, passengers must pre-register a beneficiary before redeeming miles for someone else. The effective time varies by airline—from immediate activation to up to 60 days:
For example, Air China’s PhoenixMiles program requires 30 days for regular members; China Southern’s Sky Pearl Club requires 15 days for the first addition; Cathay’s Asia Miles takes effect immediately.
This seemingly convenient setup has inadvertently created an opening for cybercriminals.
Some travel agents steal large amounts of miles, redeem them for flight tickets, and resell them at discounted prices. Once detected by the airline, the tickets are quickly rebooked under a different name. Most victims only discover the issue at the boarding gate, with little recourse.
At the root of this gray-market scheme is the cash-like nature of frequent flyer miles. 10,000 miles are worth roughly RMB 500 to 700 (about USD 70-80), the equivalent of a short-haul flight.
