That Air India’s FFP was prone to hacking is well known, given they don’t even store the data on their own servers but a third party company. They’ve made very public noises in the past that mileage accounts were frequently used by Travel Agents to amass miles which rightfully belonged to members who travel on those tickets, and then these miles were used to sell tickets to other unsuspecting customers. This was the reason that they instituted a paper trail to be attached to all the accounts, a process which is ongoing.
However, it seems in connivance with some insiders, a group of travel agents and hackers still managed to amass enough miles from unsuspecting travellers to get tickets worth INR 1.6 million in to the market to other unsuspecting travellers. This just about sounds similar to the hack on British Airways’ accounts done by a Delhi-based hacker last year costing the airline tonnes of money.
The Modus Operandi
As per a First Information Report filed with the Delhi Police Cyber Cell yesterday, the Vigilance department of Air India suspects that 20 bogus accounts were created without the knowledge of the real travellers. After all, how hard is it to sign up for a Gmail account. Then miles belonging to the real travellers were put in these accounts, hence real passengers never got their miles. After this, the gang managed to make about 170 redemptions worth INR 16 lakh using those miles.
Why an inside job? Well, Air India requires you to provide paper proof of your existence. I’ve had to send them a copy of my Passport to be able to redeem my miles. In this case, it seems someone used a Driving License, that too digitally morphed perhaps, to get these accounts activated for redemption. As per various reports, all the 20 scans of the DL had the same signature. The best part is, Driving Licenses are not even a valid proof for Air India to accept for address verification. Also, it seems the person who ok’d the verification of these accounts is not authorised to do so per Air India.
Of course, Air India has deactivated these accounts, but it remains to be seen if they make good to the original passengers.
But for Air India, please, stop using patchwork on your frequent flyer program. I think it is time they invested in strong backend architecture, or just privatized the frequent flyer program and make some money out of their 2 million FFP members.
Are your miles safe on Air India Flying Returns?