It seems like every day brings word of a new internet hack or data breach. Target got hacked by Russian teenagers and millions of credit cards had to be replaced. Sony got hacked by the North Koreans and a loungeful of smug Hollywood executives got embarrassed. The Office of Personnel Management got hacked by the Chinese and thousands of spies got their covers blown. It’s almost enough to make you long for the return of old-fashioned computer punch cards.
United Airlines depends on internet technology as much any big business — the days of friendly travel agents patiently walking you through route choices are long gone. So back in May, they took advantage of a clever strategy for avoiding the sorts of attacks that make the skies less friendly. They call it the “Bug Bounty Program,” and it pays “white knight” hackers to find the flaws in their system before the bad guys do. Last month, the airline paid two hackers a million “MileagePlus” points each for finding and documenting major flaws related to remote code execution (whatever that is).
A million miles is literally enough to fly to the Moon and back twice, if you don’t mind cramped seats, surly gate agents, $15 snacks, and changing planes in Newark. (Can you imagine flying to the Moon in a middle seat? How much would they charge to check a bag?) But back here on earth, what do our friends at the IRS think of the Bug Bounty program?
The Service generally considers frequent flyer miles you earn from business travel to be nontaxable rebates. However, miles you earn from other sources, like opening a bank or brokerage account, may be taxable. In 2012, Citibank drew heat by issuing thousands of 1099s to customers who had opened new accounts. But many tax experts agreed the IRS wouldn’t have noticed — or really, even cared — if Citibank hadn’t blown the whistle by issuing the forms!
Last year, the Tax Court reinforced the notion of taxable miles, ordering a Citibank depositor to pay tax on 50,000 “Thank You Points” he redeemed for a $668 airline ticket. In Shankar v. Commissioner, the Court characterized the points as a premium for a deposit — “In other words, something given in exchange for the use (deposit) of Mr. Shankar’s money; i.e., something in the nature of interest.”
United has confirmed that they’ll send 1099s to the Bug Bounty winners, valuing the miles at two cents each. That’s great for United; it means they get to deduct the reward. But it also means the winning hackers get taxed on $20,000 each. That’s a real problem. First, the miles may not actually be worth as much as United says they are. (Thepointsguy.com, an online resource for points collectors, currently values MileagePlus points at just 1.5 cents each.) And second, the hackers can’t sell their miles — which might not be such a problem if the IRS didn’t want their taxes in cash.