note from Andy: I don’t really have the energy to “prose” this post up very much so I’m just going to give you a minute-by-minute accounting of what I did, what the hackers did, and what American did on my behalf
On Thursday night I was leaving my company’s Christmas party and, while sitting in my car in the venue parking lot, unlocked my phone, which refreshes my email. When it pulled in my emails I saw a very curious one pop up.
After reading the email and, realizing it was neither spam nor a phishing attempt, my heart sank. My AAdvantage account was compromised. Someone had gained access to my account and, in their efforts to mask it and hope I, nor American, would notice, they added a few digits to the end of my email address.
Timeline of the hack and the fraudulent award bookings
- 10:42pm CST: Hacker gains access to my account and changes the email address. American sends email to the old address and the new one
- 10:51pm CST: I receive email that my email address was updated
- 10:52pm CST: I realize what was happening and immediately call the AAdvantage Executive Platinum Desk and had to wait for an agent (there was weather in DFW, assuming this caused some delays)
- 10:52pm CST: I happened to still be logged in to the American Airlines app on my phone, so I scrolled down to my account settings and, surprisingly, had no issues changing the email back to my original one and resetting my password to a much stronger one
- 10:53pm CST: When I refreshed my app, I noticed 71,600 miles were missing
- 10:59pm CST: I began speaking to an agent on the EXP desk. I frantically told her what was happening and she immediately placed me on hold to speak to her supervisors. She came back after long hold and said she was seeing what I was seeing and she had reported the account compromised (not really sure how she did this or what she did behind the scenes). She then said, and this was so hard to hear, that she couldn’t really do anything else for me and that I needed to wait until AAdvantage Customer Service opened the next day at 8am CST. I could not fathom that the largest airline in the world did not have any emergency plan for situations like this and (I hope respectfully) told her as much. While she and I were speaking I happened to refresh my app again and saw that another 66,900 miles had just been pulled from my account. This was an active hack. She saw it too, gasped, and put me on another hold
Let me pause briefly here. I was frustrated and felt violated and the EXP agent was frustrated for me and was as comforting as she could be, coming back on the line every five minutes or so to let me know that she was still working on things internally for me while I endured lengthy holds. I commend her for not only her skill of making the right internal people aware of what was happening but for her empathy with me. Her immense compassion and kindness embodied the best of American Airlines customer service during a tough situation.
- 12:13am CST: After an hour on the phone the agent gave me the news: she had done everything she could do, as had her supervisors, but, at this point, I would need to wait until 8am CST for AAdvantage Customer Service to open for further instructions. I knew she did everything she could but was sad that this is what it came to
What I did until AAdvantage Customer Service opened 8 hours later
I was livid that the largest airline in the world, fresh off 5 years of record profits, seemingly couldn’t help me until 8 hours later (I was wrong about this, which I’ll get to in a minute). At that point, however, I had bigger fish to fry. I tried to think like a hacker and guess what their next move would be, as changing my email address back to my own and changing the password on my AAdvantage account had seemed to stop them in their tracks for the moment. They couldn’t make bookings with my miles anymore but they had seen quite a bit of my personal information, including my personal cell phone, my personal address, my date of birth, and my emergency contact information (including their cell phone). I had work to do.
- The first thing I did was call (and wake up) my emergency contact to let them know what had happened and to let them know I hadn’t been in a car wreck or arrested or anything like that, in case the hacker would try to impersonate someone and try to scam them out of some money by creating some false emergency
- The next thing I did was put fraud alerts on all of my credit accounts with the three credit bureaus (this was actually super easy, as submitting a fraud alert with one bureau will automatically notify the other two). With my name, address, and date of birth I was concerned someone could put that information on a fake driver’s license and attempt to rent cars in my name or cross-reference that data to someplace on the dark web (where I’m sure my social security number has been exposed because honestly probably all of ours have been exposed) and then apply for credit accounts in my name
- I sent Facebook messages to a few key people who know higher-ups at American Airlines and also posted about this in an Executive Platinum Facebook group to see if anyone could help. I also sent a text message to one of my main contacts at American to see if they were awake and could help
And then I waited. There was nothing else I could do. I felt helpless. But then I got my first data point.
At 3:25am CST I received the usual ‘Your recent award redemption’ email from American, which they send after you make an award booking. On it, I finally had the name of a suspect. (I did not recognize the name and it was nobody I knew)
(Yes, I blurred out their name. I’m an incredibly firm believer in rights of the accused and do not wish to have people, however well-meaning, going looking for these people)
I knew this email was automatically generated a few hours (probably some batch process) after an award booking. I imagine this is why the hacker changed the email address on my AAdvantage account, so they would receive the confirmation and not me, after which they would change the email address on my account back to my original email address and hope I was none the wiser until I noticed the miles missing from my account, by which time the fraudulent booking would’ve already been used.
As the hours slowly crept by I tried to get some sleep and probably nodded off for 30 minutes or so but it wasn’t fitful sleep since I was so stressed.
And then I realized American WAS working on things behind the scenes
At 7:28am CST I received an email from Corporate Security at American Airlines. They had received the report, thanks to the hard work of the EXP desk agent the night before, and reviewed the bookings. Here was the crux of it:
- My AAdvantage account had been compromised. There was no use trying to save it. I needed to create a new AAdvantage account with a different email address (that didn’t resemble my old one) and different security questions
- In order to get my miles back, I needed to submit a police report to American Corporate Security. This sounded ridiculous at first but I get why they ask for one, even though it slows down the process
They provided me with the following information:
I had a caseworker and everything. It was reassuring that I had that information and I was grateful that they were able to get me the information so quickly.
Then AAdvantage Customer Service reopened
When I called in at 8am CST, the EXP number skipped the usual “oooooo-oo-oooo-oo-oooooooo” song and automatically routed my call directly to AAdvantage Customer Service, since my account had been tagged as compromised by that point. A friendly AAgent picked up the phone and helped me set up a new AAdvantage account and begin the process of merging my old account data into the new one. At this point, they had done what they were capable of doing and the rest was in the hands of Corporate Security.
Getting a police report
The email from Corporate Security contained not just one but two names of the people in whose name the awards (which turned out to be car/hotel awards) were booked. I did some online sleuthing and was quickly able to figure out their likely whereabouts and was even able to pull up some lengthy criminal histories for names which matched the suspects. I’m not sharing their location publicly but I do have some connections in that area and will be getting law enforcement involved.
I live in Dallas, Texas. DPD has a helpful online information page for filing police reports so I gathered the necessary information and went down to the police headquarters yesterday to file a police report and start the process of getting my miles back. Since the accused thieves are outside of DPD jurisdiction I knew there was nothing they could do but I at least wanted to get the police report going in order to get my miles back.
Why did I have to get a police report? Corporate Security asked for one. Why did they ask for one? Well, I’m sure there have been people who have falsely claimed their miles were ‘stolen’ in the past just to try and scam American out of miles. It’s asking a lot, but I get why they’re doing it.
and now? I wait.
I have to wait for the police report and then need to send it over to Corporate Security in order for American to reinstate my miles. I have no doubts that everything will work out, it’ll just take some time. I struggle with patience so this will be good practice for me. I hate that this takes time but I don’t have any upcoming need for my miles so I’m good for now.
Thinking about it, this is the perfect crime
It didn’t work out for this hacker, but I think this is what happened. Hacker found my email address and a password as part of some data breach (like Marriott’s). They tried that password in a variety of sites and found that the email/password combo worked with American. They then run a Craigslist ad or something for cheap car rentals and hotels (with a burner phone, of course), someone pays the hacker cash, hacker makes award bookings in that person’s name using my miles, and job done. It would be the recipient of the fraudulent award that gets arrested, not the hacker.
Like I said, I know who the names of the people who the awards were booked for and I’d like law enforcement to pick them up so we can figure out who actually hacked my account (I have my doubts that it was the people for whom the awards were booked).
Ok so what have we learned from all this?
I’ve written enough for now. I have some ideas about what American could do to prevent this (which I’m sending in a letter to the executive team) and I’ll write about that in a future post but, for now, I just wanted to get the timeline out there so everyone knew what happened. As always, try and make sure your passwords are unique from website to website. Mine wasn’t, and that’s probably how the hack began. Stay tuned for the next post!
A quick thank you
Thank you to all the readers who reached out privately and asked if there was anything they could do to help. Having your information exposed and used like this makes a person feel very violated, particularly since travel is so near and dear to my heart. Your kind words and thoughts really mean a lot to me and helped me find my smile as I’ve worked through all of this.