Hey guys, first ever post but I've been reading a lot on this forum and learning a lot so thanks everyone!

A couple of days ago I was speaking with AA on twitter regarding using a friends SWU to upgrade my flight. It was open Twitter not in a DM. I had previously conversed with them in a DM regarding a booking at had securely given over my info.

Anyway, they basically said no regarding my question to the current booking. My question to them didn't include my booking reference so I was unsure how they had it (I forgot I was messaging them a couple of weeks ago). Anyway I asked what booking. They responded saying this booking with my record locater on public display for the world to see.

​​​​​They kept it up there until I alerted them about it. I'm no expert but surely this is a big violation of data protection laws? The record locater has access to passport details, addresses credit cards etc...

Is there anything I should be concerned about? Is there a way to get AA to somehow compensate me? I'm quite a data freak cos I've hear lots of stories of identity theft and don't exactly want that to happen to me!

Any help appreciated