Akamai Security Research: Loyalty Programs Continue to be Targeted by Criminals as Account Data is Easily Sold or Traded Retail, Hospitality, Travel industries were hit with over 63 billion credential stuffing and 4 billion web application attacks in last two years
Cambridge, MA | October 21, 2020
Akamai (NASDAQ: AKAM) the intelligent edge platform for security and delivering digital experiences, today published the State of the Internet / Security report: Loyalty for Sale - Retail and Hospitality Fraud. The report details criminal activity targeting the retail, travel, and hospitality sectors with attacks of all types and sizes between July 2018 and June 2020. The report also includes numerous examples of criminal ads from the darknet illustrating how they cash in on the results from successful attacks and the corresponding data theft.
Criminals are not picky -- anything that can be accessed can be used in some way, said Steve Ragan, Akamai security researcher and author of the State of the Internet / Security report. This is why credential stuffing has become so popular over the past few years. These days, retail and loyalty profiles contain a smorgasbord of personal information, and in some cases financial information too. All of this data can be collected, sold, and traded or even compiled for extensive profiles that can later be used for crimes such as identity theft.
During the COVID-19 pandemic-related lockdowns in Q1 2020, criminals took advantage of the worldwide situation and circulated password combination lists, targeting each of the commerce industries featured in the report. It was during this time that criminals started recirculating old credential lists in an effort to identify new vulnerable accounts, leading to a significant uptick in criminal inventory and sales related to loyalty programs.
Between July 2018 and June 2020, Akamai observed more than 100 billion credential stuffing attacks in total. In the commerce category - comprising the retail, travel, and hospitality industries - there were 63,828,642,449 recorded. More than 90% of the attacks in the commerce category targeted the retail industry.
Credential stuffing isn't the only way that criminals target the retail, travel, and hospitality industries. They target organizations in these industries at the source using SQL Injection (SQLi) and Local File Inclusion (LFI) attacks. Between July 2018 and June 2020, Akamai observed 4,375,711,860 web attacks against retail, travel, and hospitality, accounting for 41% of the overall attack volume across all industries. Within this data set, 83% of those web attacks targeted the retail sector alone. SQLi attacks are an evident favorite among criminals, accounting for just under 79% of the total web application attacks against retail, travel, and hospitality.
As the global economy prepares for a holiday shopping season, it does so in an environment that has changed radically due to the pandemic. Consumers will not be standing outside of brick and mortar stores waiting for the latest deals in the same way they have in the past. They're going to log-in, collect their reward points, and maybe use loyalty programs to gain some discounts or other perks just for being a member.
Considering everything that goes into a successful loyalty program, and the information people need to provide in order to take part, the criminals have everything they need to get started in a number of crime-related ventures, from account takeovers, to straight-up identity theft. So, while an individual's loyalty to a merchant, airline, or hotel chain might not literally be for sale, there's a good chance the account associated with such programs might be.
All businesses need to adapt to external events, whether it's a pandemic, a competitor, or an active and intelligent attacker, Ragan concluded. Some of the top loyalty programs targeted require nothing more than a mobile number and a numeric password, while others rely on easily obtained information as a means of authentication. There is an urgent need for better identity controls and countermeasures to prevent attacks against APIs and server resources.
The Akamai 2020 State of the Internet / Security report, Loyalty for Sale - Retail and Hospitality Fraud is available here. In addition, Akamai will host a webinar on Thursday, October 22 at 11:00 a.m. ET where Akamai security experts discuss the findings of this latest report. To register for the webinar, visit here.
For additional information, the security community can access, engage with, and learn from Akamai's threat researchers and the insight that the Akamai Intelligent Edge Platform affords into the evolving threat landscape, visit Akamai's Threat Research Hub.
About Akamai Akamai secures and delivers digital experiences for the world's largest companies. Akamai's intelligent edge platform surrounds everything, from the enterprise to the cloud, so customers and their businesses can be fast, smart, and secure. Top brands globally rely on Akamai to help them realize competitive advantage through agile solutions that extend the power of their multi-cloud architectures. Akamai keeps decisions, apps and experiences closer to users than anyone - and attacks and threats far away. Akamai's portfolio of edge security, web and mobile performance, enterprise access and video delivery solutions is supported by unmatched customer service, analytics and 24/7/365 monitoring. To learn why the world's top brands trust Akamai, visit www.akamai.com, blogs.akamai.com, or @Akamai on Twitter. You can find our global contact information at www.akamai.com/locations.
Europe Stories
05/01/2027
Worlds first 802.15.4ab-UWB chip verified by Calterah and Rohde & Schwarz to be ...
01/06/2026
January 6 2026, 05:30 (PST) Dolby Sets the New Standard for Premium Entertainment at CES 2026
Throughout the week, Dolby brings to life the latest innovatio...
02/05/2026
Dalet, a leading technology and service provider for media-rich organizations, t...
01/05/2026
January 5 2026, 18:30 (PST) NBCUniversal's Peacock to Be First Streamer to ...
01/04/2026
January 4 2026, 18:00 (PST) DOLBY AND DOUYIN EMPOWER THE NEXT GENERATON OF CREATORS WITH DOLBY VISION
Douyin Users Can Now Create And Share Videos With Stun...
04/03/2026
For many fans, a song's backstory can be just as compelling as the final pro...
04/03/2026
In 2006, Spotify was founded on the belief that technology could bring artists a...
04/03/2026
Spotify is back on the ground for the Houston Livestock Show and Rodeo, and we&#...
04/03/2026
Spotify had an energizing week in Sydney, Australia, filled with powerful conver...
04/03/2026
Earlier this year, we launched Directed By, a documentary-style series that pull...
04/03/2026
KT and Rohde & Schwarz to showcase AI-enhanced radio transmission performance In a joint 6G AI proof-of-concept demonstration, the CMX500 one-box tester from ...
04/03/2026
Luxembourg, 3 March 2026 - SES S.A. has today published its 2025 Annual Report, following the announcement of the company's full year financial results for ...
04/03/2026
Luxembourg, March 3, 2026 - SES, a leading space solutions company, along with I...
04/03/2026
04 Mar 2026
VEON Partners with GSMA Innovation Fund to Accelerate Digital Innov...
04/03/2026
04 Mar 2026
VEON's Beeline Uzbekistan and Rakuten Symphony Partner for Open...
04/03/2026
Wednesday 4 March 2026
Sky Sports unveils plans for 2026 Formula 1 coverage
Sky Sports is preparing for one of the most highly anticipated F1 seasons in recen...
03/03/2026
For many, finding time or headspace to pick up a book can feel out of reach, but...
03/03/2026
Rohde & Schwarz and Realtek demonstrate first test solution for Bluetooth LE Hi...
03/03/2026
eds3_5_jq(document).ready(function($) { $(#eds_sliderM519).chameleonSlider_2_1({ content_source:......
03/03/2026
Luxembourg, 2 March 2026 -- SES S.A. fully consolidates Intelsat from 17 July 2025 and announces financial results for the year ended 31 December 2025
FY25 Pe...
03/03/2026
RT is proud to support a rich and diverse programme of arts and cultural events taking place across Ireland throughout March 2026. This month brings a remarkab...
03/03/2026
03 Mar 2026
VEON and MeetKai Expand Collaboration to Explore Sovereign AI Infra...
03/03/2026
Tuesday 3 March 2026
Sky releases official trailer for The Miniature Wife, a Sk...
03/03/2026
Tuesday 3 March 2026
Ryan Reynolds and Rob Mac land first ever live commentary ...
03/03/2026
Tuesday 3 March 2026
The Dyers' Caravan Park reopens for a second season after a hit launch on Sky
The Dyers' Caravan Park
JPEG (510KB)
Sky books a ...
03/03/2026
Harmonic's cOS Virtualized Broadband Platform Simplifies Network Operations, Lowers Hardware Dependency and Enables Seamless DOCSIS and Fiber Growth SAN JO...
03/03/2026
Comscore to Announce Fourth Quarter and Full Year 2025 Financial ResultsRESTON, VA, March 3, 2026 Comscore, Inc. (Nasdaq: SCOR), a trusted partner for plannin...
03/03/2026
Self-taught on iMovie, Hanagami transitioned to Final Cut Pro in 2009, discovering that professional tools could give him full creative control over how his wor...
03/03/2026
RT Media Sales has announced Spry Finance has renewed it's sponsorship of M...
02/03/2026
Rohde & Schwarz demonstrates FR1-FR3 carrier aggregation, advancing 6G readiness Rohde & Schwarz and Qualcomm Technologies, Inc. have reached another pivotal ...
02/03/2026
aconnic AG (ISIN: DE000A0LBKW6), Munich, and Arqit Quantum Inc. (Nasdaq: ARQQ, A...
02/03/2026
Luxembourg, February 26, 2026 - SES and Africa Mobile Network (AMN) have expande...
02/03/2026
Monday 2 March 2026
Saturday Night Live UK announces writing team
L-R: Jonno Johnson; Charlie Skelton; Celya AB; Omar Badawy; Gr inne Maguire; Laura Claxton; ...
27/02/2026
Since its inception, Gorillaz has been known for blending art with genre-bending...
27/02/2026
This week, Spotify introduced Audiobook Charts for the U.S. and U.K. The charts make it easy to discover your next favorite book by showing what's popular a...
27/02/2026
Rohde & Schwarz and Viasat to collaborate on NB-NTN IoT test plan for connectivi...
27/02/2026
In media technology, big features often steal the spotlight - AI integrations, cloud transformations, automation frameworks. But for the people who use these to...
27/02/2026
Digital Asset Management systems sit at the heart of most marcoms operations. They centralise content, organise it, and make it discoverable. Integrated with th...
27/02/2026
The AI Wild West comes to NAB 2026 and Blue Lucy is bringing the Sheriff
The AI Wild West is here, and media organisations are feeling the heat. On Booth W23...
27/02/2026
A deeply personal, uncompromising portrait of the legendary punk rock iconFriday...
27/02/2026
One of Ireland's favourite lifestyle shows Home of the Year, returns for its 12th series and will be proudly sponsored by SIRO. The brand-new series will ai...
27/02/2026
Our Farm: A GIY Story lands on RT One and RT Player from March 3
From walled garden to community farm, new six-part series captures the unfiltered realities...
27/02/2026
Note: English version included below the Irish language version.
Seachtain na Gaeilge 2026 ar RT
A Ghaeilge mo cheol th '
T feachtas athnuaite i n...
26/02/2026
Rohde & Schwarz awarded contract by Israel Airports Authority for QPS201 securit...
26/02/2026
Rohde & Schwarz highlights its unique CMX500 one-box tester tailored for NTN tes...
26/02/2026
Rohde & Schwarz high-efficiency transmitter powers next-gen broadcast services i...
26/02/2026
Rohde & Schwarz highlights its comprehensive embedded systems test solutions at ...
26/02/2026
Rohde & Schwarz to showcase spectrum security and network efficiency solutions a...
Akamai Security Research: Loyalty Programs Continue to be Targeted by Criminals as Account Data is Easily Sold or Traded Retail, Hospitality, Travel industries were hit with over 63 billion credential stuffing and 4 billion web application attacks in last two years 
