Originally Posted by
USFlyerUS
I'm not really sure you can do much with just the PNR. To look-up on aa.com, you also need a last name.
And, to be honest, every bag tag has both a PNR and last name on it, which anyone could easily see by standing in baggage claim areas while pretending to look for their own bag. While obviously Twitter is a much bigger forum, my point is that if a PNR was PII requiring protection it wouldn't be on bag tags, boarding passes, etc. I think your risk is low.
Twitter account has my surname so they would have everything they need.
I get your point with bag tags but at the same time no one is doing that. Everyone's waiting for their bag to leave and it wouldn't be a reasonable measure for AA to need to limit that. Sharing on twitter with 1.6m followers of which many are bots is vastly different. On AA website you can see passport info, contact info, address in the US a bunch of other things, and if you were to call and make changes they would use the card on file. So I would argue it's a serious breach