Read MoreSelling stolen card info online? That's the least of it
Members of the Hilton HHonors hotel loyalty program are among those who have complained about missing points, the Krebs On Security website reported on Monday. "I did a bit of sleuthing on my own and was able to find plenty of sellers on shady forums offering them for about 3 to 5 percent of their actual value," security reporter Brian Krebs wrote.
Depending on how those points are monetized, a point could be valued at 13 cents or perhaps $3 by converting them into points in other programs, Thompson told CNBC. Those points can also be used in the Hilton online shopping mall to buy jewelry, watches, golf clubs, cigars, guitars, even a subscription to a bacon-of-the-month club.
"It was actually quite an eye-opener. People were selling 80,000 points for $4," said John Ollila, who runs the 3-year-old website LoyaltyLobby, which covers hotel and airline points programs. Ollila wrote about the situation last month after seeing complaints from loyalty club members on the FlyerTalk boards.
A Hilton company spokesman declined to comment on the record for this story. Other hotel companies contacted for this story also declined to comment on whether they have experienced loyalty data breaches.
Read MoreSecret Service warns on hotel biz center computers
Some companies have been attacked through a Web application a hacker uses to poke around a site and look for vulnerabilities, Thompson said. Others get speared in a phishing attack when a hacker targets someone working in the company's IT department, possibly by posing as a friend sending an email with a suspicious link.
Even some major travel companies do not have basic protections for their loyalty programs, Thompson said, based on his firm's work with companies that have had problems. "It's not standard yet and that's what's disappointing," he said.