Road Warrior

Hackers latest target: Loyalty programs

Source: Rook Security

Cyberhackers want your loyalty these days, but not in a good way.

They are going after traveler loyalty programs, emptying out the points and turning them into swag and cash.

"The issue is that loyalty programs aren't usually treated as jewels to be protected until there's a problem," said J.J. Thompson, CEO and managing director of Rook Security, an Indianapolis-based security firm that has helped companies handle loyalty breaches.

Read MoreSelling stolen card info online? That's the least of it

Members of the Hilton HHonors hotel loyalty program are among those who have complained about missing points, the Krebs On Security website reported on Monday. "I did a bit of sleuthing on my own and was able to find plenty of sellers on shady forums offering them for about 3 to 5 percent of their actual value," security reporter Brian Krebs wrote.

Depending on how those points are monetized, a point could be valued at 13 cents or perhaps $3 by converting them into points in other programs, Thompson told CNBC. Those points can also be used in the Hilton online shopping mall to buy jewelry, watches, golf clubs, cigars, guitars, even a subscription to a bacon-of-the-month club.

"It was actually quite an eye-opener. People were selling 80,000 points for $4," said John Ollila, who runs the 3-year-old website LoyaltyLobby, which covers hotel and airline points programs. Ollila wrote about the situation last month after seeing complaints from loyalty club members on the FlyerTalk boards.

A Hilton company spokesman declined to comment on the record for this story. Other hotel companies contacted for this story also declined to comment on whether they have experienced loyalty data breaches.

Read MoreSecret Service warns on hotel biz center computers

Some companies have been attacked through a Web application a hacker uses to poke around a site and look for vulnerabilities, Thompson said. Others get speared in a phishing attack when a hacker targets someone working in the company's IT department, possibly by posing as a friend sending an email with a suspicious link.

Even some major travel companies do not have basic protections for their loyalty programs, Thompson said, based on his firm's work with companies that have had problems. "It's not standard yet and that's what's disappointing," he said.

Beware of these hotel fees
Beware of these hotel fees

The hotels should be notifying their customers anytime account information, like an email address or password, has been changed, Thompson said. The sites should also offer two-factor authentication and create their own dummy accounts that will send up internal red flags if the data is moved, he said.

"It's really a form of digital currency but it's not being protected as such," Thompson said.

For consumers, there's not a lot they can do to protect themselves beyond keeping a close eye on their points. "There's currently no way to know," Thompson said. The best advice may be to look at which sites require two-factor authentication for your account and notify you of any changes made to passwords or contact information, he said.

It's also smart to avoid using the same password at more than one website, which cuts down on the possibility that a breach at one company can give the hacker a master key that can be used in multiple locations.

Read MoreHotel data breach went undiscovered for nine months

—Follow Road Warrior on Twitter at @CNBCtravel.