Skip to main content

Ottawa man's 200,000 Aeroplan points stolen as he slept


Cyber theft is surging, with hackers moving faster than ever to access private information and take it.

In one recent incident, Ottawa resident Brian Crook fell victim to a cyber attack that wiped out his cache of Aeroplan loyalty points, enough for a pair of round-the-world flights.

"I had over 200,000 air miles in my account," says Crook, "and then one morning they were just gone. I probably had enough for a trip for two to Australia, which is kind of disappointing."

Crook spent many years accumulating those points, which he says were stolen from his online account on Feb. 7 while he slept.

"At about two in the morning, my Aeroplan account changes and they now have full access to my points. I don't have an Uber account, but from what I understand is they created an Uber account, attach it to your Aeroplan account, and then start taking the points at incremental amounts. Eighteen transactions over that February night, all around 12,000 points each."

Air Canada owns and operates Aeroplan, and the points clients earn can be used for airline tickets or to purchase other items through third party partners, like Uber.

Cybersecurity experts warn that loyalty card accounts are highly valuable to hackers, as points can be converted quickly to untraceable gift cards. Technology analyst Carmi Levy says enabling enhanced security measures, like two-factor authentication, is a necessity to protect against cybercriminals.

"We aren't treating the assets, the points within our loyalty accounts, in the same way that we would dollars in a bank account and we really should because they are worth something. Unfortunately, they can be compromised just as easily as money in an account. It's really a feeding frenzy for cybercriminals. They know full well that the advantage is theirs," says Levy. "The unfortunate reality for most consumers is there is no protection for them. There are no laws on the books that specifically compel providers, platform owners, these vendors to return lost loyalty points to them in case of a cyberattack like this. So if you do get your points back, then it's really largely just out of the generosity of the company."

In a statement to CTV News, Air Canada says the incident occurred because "the member's email account was compromised, and entry was gained that way, not through the Aeroplan platform."

Air Canada says it has been in touch with Crook, and on Monday, restored the stolen points as well as helped to ensure safeguards are in place for the future. The company advises all customers to apply added precautions, available to account holders, such as:

  • Multi-factor authentication: members conveniently receive a one-time code via text message every time they log in to their Aeroplan account, so it authenticates whoever is gaining access.
  • Use a strong and unique password: One of the most common causes of data breaches generally is weak or reused passwords. To prevent cybercriminals from accessing multiple accounts at once, create a strong and unique password for each account that combines letters, numbers, and symbols. Choose a passphrase that can be easily remembered, but that others won’t easily guess.
  • Update contact information: Keeping contact details current enables the company to promptly report any suspicious activity detected on a member's account. It’s particularly important if people change internet service providers or workplaces, or if they lose access to the email address linked to their Aeroplan account.

Crook says, after nearly a month of waiting, he is thankful, and relieved that Aeroplan returned the stolen points so that he and his family can consider that big vacation. Top Stories

Stay Connected