Severe data protection issue - I can see and modify a stranger's flight on my A3 app
Nov 14, 2017, 2:42 am
#17
FlyerTalk Evangelist
Join Date: Mar 2008
Location: Netherlands
Programs: KL Platinum; A3 Gold
Posts: 28,659
Nov 14, 2017, 5:03 am
#18
Moderator: Aegean Miles+Bonus
Join Date: Oct 2009
Location: AMS / ATH
Programs: AFKL Plat, A3 Gold
Posts: 7,331
I am actually impressed that they got back to you within a day 
If you received the check-in notification, then your email was associated with the booking, not just the check in. As that email is sent to the email in the booking.
Does not clear up why that would be the case though. Have you used a public PC that may have remembered (and pre-filled) the email address later on? Or perhaps mentioned the email address to a support or ticket desk - who may have accidentally applied it to the wrong booking?
This is getting more puzzling:
Some data points:
My A3 email address is German (.de). I use the initial of my first name and my full last name. My new "mystery friend" is greek, and her initials (first and last) are different from mine.
I just noticed that I received an e-mail confirmation about check-in for this flight two days ago (when the check-in window for the flight first opened).
Very strange.
Some data points:
My A3 email address is German (.de). I use the initial of my first name and my full last name. My new "mystery friend" is greek, and her initials (first and last) are different from mine.
I just noticed that I received an e-mail confirmation about check-in for this flight two days ago (when the check-in window for the flight first opened).
Very strange.
Does not clear up why that would be the case though. Have you used a public PC that may have remembered (and pre-filled) the email address later on? Or perhaps mentioned the email address to a support or ticket desk - who may have accidentally applied it to the wrong booking?
Nov 14, 2017, 5:45 am
#19
Community Director
Join Date: Jan 2009
Location: Norwich, UK
Programs: A3*G, BA Gold, BD Gold (in memoriam), IHG Diamond Ambassador
Posts: 8,466
It seems more likely to me that the OP's M+B number was attached to the booking in error, which then auto-filled the e-mail field and sent notifications out. Given no original booking e-mail was received, the likelihood is that this happened sometime afterwards.
This could have done by the person making the booking, but equally it could have been mis-keyed by an A3 agent ... and at this stage I would strongly suspect the OP will not ever get to find out.
This could have done by the person making the booking, but equally it could have been mis-keyed by an A3 agent ... and at this stage I would strongly suspect the OP will not ever get to find out.
Nov 14, 2017, 1:29 pm
#20
Join Date: Nov 2016
Programs: A3*G
Posts: 42
Nov 14, 2017, 7:54 pm
#22
Join Date: Jan 2004
Location: Heraklion, Greece
Posts: 7,562
This is getting more puzzling:
Some data points:
My A3 email address is German (.de). I use the initial of my first name and my full last name. My new "mystery friend" is greek, and her initials (first and last) are different from mine.
I just noticed that I received an e-mail confirmation about check-in for this flight two days ago (when the check-in window for the flight first opened).
Very strange.
Some data points:
My A3 email address is German (.de). I use the initial of my first name and my full last name. My new "mystery friend" is greek, and her initials (first and last) are different from mine.
I just noticed that I received an e-mail confirmation about check-in for this flight two days ago (when the check-in window for the flight first opened).
Very strange.
Nov 14, 2017, 8:07 pm
#23
FlyerTalk Evangelist
Join Date: Aug 2014
Programs: Top Tier with all 3 alliances
Posts: 11,635
Let's hope A3 doesn't lock the OP's account in trying to figure this out, as in no good deed goes unpunished...
It is obviously some kind of IT glitch. I had that happen to me once before, don't remember the airline, I think I called and they were like "don't worry about it, it is a temporary glitch."
It is obviously some kind of IT glitch. I had that happen to me once before, don't remember the airline, I think I called and they were like "don't worry about it, it is a temporary glitch."
Nov 14, 2017, 10:56 pm
#24
Join Date: Jan 2004
Location: Heraklion, Greece
Posts: 7,562
The way I interpret OP's correspondence with A3's CS is that they claim his email address was indicated as where the BP should be sent to. OP says that his and "her" (the "mystery friend") address were very different, thus no typo was possible (first and last -?- initials different). Some questions that are still open are:
- How different were the two email addresses.
- Does the "mystery friend" know OP?
- How did OP find out the "mystery friend"'s enmail address? The BP does NOT contain any email addresses!
...and possibly a few more. With the last name and the Booking reference there is no problem accessing the reservation, both at the CI time and (even worse) changing it completely!
- How different were the two email addresses.
- Does the "mystery friend" know OP?
- How did OP find out the "mystery friend"'s enmail address? The BP does NOT contain any email addresses!
...and possibly a few more. With the last name and the Booking reference there is no problem accessing the reservation, both at the CI time and (even worse) changing it completely!
Nov 15, 2017, 2:05 am
#25
FlyerTalk Evangelist
Join Date: Mar 2008
Location: Netherlands
Programs: KL Platinum; A3 Gold
Posts: 28,659
I assure you I was not, and am not, being sarcastic.
I had to ask twice if the OP could be sure that the ticket was not booked using his/her (hacked) account, to be told that (s)he was as sure as on the previous day - though no answer had been given on the previous day.
If the OP doesn't respond to simple, relevant questions, are we not allowed to try obtaining the information a second time? Isn't the idea of posting the thread such that the "problem" can be solved?
We can't be sure of anything that we haven't been explicitly told. The OP's later post indictes that they were already in possession of further relevant information of which they were not aware. If a relevant email was not spotted, how can we know that other relevant information has similarly not been spotted by the OP?
I'm not sure why you interpreted a simple question asked to try and eliminate one possible avenue (and a dangerous and increasingly common one, at that) as being "sarcastic".
I had to ask twice if the OP could be sure that the ticket was not booked using his/her (hacked) account, to be told that (s)he was as sure as on the previous day - though no answer had been given on the previous day.
If the OP doesn't respond to simple, relevant questions, are we not allowed to try obtaining the information a second time? Isn't the idea of posting the thread such that the "problem" can be solved?
We can't be sure of anything that we haven't been explicitly told. The OP's later post indictes that they were already in possession of further relevant information of which they were not aware. If a relevant email was not spotted, how can we know that other relevant information has similarly not been spotted by the OP?
I'm not sure why you interpreted a simple question asked to try and eliminate one possible avenue (and a dangerous and increasingly common one, at that) as being "sarcastic".
Nov 15, 2017, 9:49 am
#26
Join Date: Sep 2012
Location: NW London and NW Sydney
Programs: BA Diamond, Hilton Bronze, A3 Diamond, IHG *G
Posts: 6,343
The way I interpret OP's correspondence with A3's CS is that they claim his email address was indicated as where the BP should be sent to. OP says that his and "her" (the "mystery friend") address were very different, thus no typo was possible (first and last -?- initials different). Some questions that are still open are:
- How different were the two email addresses.
- Does the "mystery friend" know OP?
- How did OP find out the "mystery friend"'s enmail address? The BP does NOT contain any email addresses!
...and possibly a few more. With the last name and the Booking reference there is no problem accessing the reservation, both at the CI time and (even worse) changing it completely!
- How different were the two email addresses.
- Does the "mystery friend" know OP?
- How did OP find out the "mystery friend"'s enmail address? The BP does NOT contain any email addresses!
...and possibly a few more. With the last name and the Booking reference there is no problem accessing the reservation, both at the CI time and (even worse) changing it completely!
Regarding your other point, I'm sure the OP just means the intials of first and last names are different, i.e. the first letter of the mystery person's given name and the first letter of their surname.
And since the other person has a completely different name, the OP was wondering how they managed to input the wrong email. The OP also says that the M&B numbers are completely different so it probably isn't that either.
Nov 15, 2017, 9:55 am
#27
Original Poster
Join Date: Sep 2014
Programs: A3*G
Posts: 114
I don't think ObserverA3 knows the mystery person's actual email address, because for this particular flight mystery person's email address is ObserverA3's email address. So there is no way to contact the mystery person.
Regarding your other point, I'm sure the OP just means the intials of first and last names are different, i.e. the first letter of the mystery person's given name and the first letter of their surname.
And since the other person has a completely different name, the OP was wondering how they managed to input the wrong email. The OP also says that the M&B numbers are completely different so it probably isn't that either.
Regarding your other point, I'm sure the OP just means the intials of first and last names are different, i.e. the first letter of the mystery person's given name and the first letter of their surname.
And since the other person has a completely different name, the OP was wondering how they managed to input the wrong email. The OP also says that the M&B numbers are completely different so it probably isn't that either.
