|
Originally Posted by USFlyerUS
(Post 34469289)
I
And, to be honest, every bag tag has both a PNR and last name on it, which anyone could easily see by standing in baggage claim areas while pretending to look for their own bag. While obviously Twitter is a much bigger forum, my point is that if a PNR was PII requiring protection it wouldn't be on bag tags, boarding passes, etc. I think your risk is low. |
So is it all about compensation?
Originally Posted by Duckle
(Post 34469249)
Hey guys, first ever post but I've been reading a lot on this forum and learning a lot so thanks everyone!
A couple of days ago I was speaking with AA on twitter regarding using a friends SWU to upgrade my flight. It was open Twitter not in a DM. I had previously conversed with them in a DM regarding a booking at had securely given over my info. Anyway, they basically said no regarding my question to the current booking. My question to them didn't include my booking reference so I was unsure how they had it (I forgot I was messaging them a couple of weeks ago). Anyway I asked what booking. They responded saying this booking with my record locater on public display for the world to see. They kept it up there until I alerted them about it. I'm no expert but surely this is a big violation of data protection laws? The record locater has access to passport details, addresses credit cards etc... Is there anything I should be concerned about? Is there a way to get AA to somehow compensate me? I'm quite a data freak cos I've hear lots of stories of identity theft and don't exactly want that to happen to me! Any help appreciated |
Originally Posted by Kawliga
(Post 34469380)
But as to whether or not AA owes you compensation, typically you’ll need evidence of actual damages in order to prevail, not just “what if someone does x.”
|
Originally Posted by Dave Noble
(Post 34469832)
From what I understand, you were communicating on an open channel and you asked the agent what the booking was and the agent replied. Given that you requested the information from the agent on a public channel, I cannot see that there was a data breach
|
Originally Posted by WeekendTraveler
(Post 34469993)
If you're in the US, the AA privacy policy pretty much governs what AA can and can't do with your information: Privacy policy − Support − American Airlines (aa.com)
The AA privacy policy says that you should keep your record locator confidential so it's odd that AA would Tweet it. But the privacy policy specifically allows use of it: "to complete transactions and fulfill requests for our products and services." So I don't think you have any claim against AA. Such is life in the US (unlike in the EU). |
Originally Posted by Lux Flyer
(Post 34469549)
If this was a thing professional fraudsters wanted to do, they would be camping out in baggage claims, collecting PNRs/last names from the bag tags, as was mentioned above. They would get a million times better return on their time investment to steal identities than waiting for the rare situation in which a PNR/last name combination to be inadvertently posted on Twitter/social media.
I (personally) think you're blowing this out of proportion for what it was, but if you're truly as concerned about your privacy online that you're making it out to be from AA disclosing the record locator, I'd recommend removing your last name from your twitter profile/whereever else you are using it online as it would 1) have prevented this from being an issue in the first place and 2) with your name and the amount of public records available online someone dedicated enough could easily almost all of of the information that would be exposed from the PNR anyways. Also since it looks like you just joined - welcome. And you probably hit the post limit for a new account so it will probably be a day before we can discuss further. But, AA have responded and put a lock and password on my booking |
But point still stands that what they did was illegal, perhaps not to US law but definitely to UK/EU law and as I provided the info to BA as I booked through them it would be a violation of these laws. I'm not looking to seek compensation (unless someone does get ahold of my details) but at the same time I do believe they should be retrained and/or fined. Not necessarily just because it broke the law, but simply because of the stupidity of whichever CS representative posted it on twitter. I cannot fathom how whoever did it could be so oblivious; I've seen many times when the AA Twitter team "strongly advise" customers who tweet them in public with details exactly like this, to delete their tweet and here they go doing the exact opposite.
|
I think you're overreacting on this. Regardless of whether we think a PNR is PII or not, the agent made a simple mistake that was easily corrected.
|
The reality is that no company is going to be fined (or be required to retrain an employee or anything else) by any data protection authority for something like this. In addition to being significantly de minimis (plus is a record locator even PII - I don’t think that is clear), you agreed to usage in the privacy policy.
If you just cannot sleep at night, then report AA to the UK data protection authority then you are done. There are likely thousands of of such reports filed all across EU data privacy regulators every single week. I know you feel strongly about this, but absolutely nothing will happen because of it. Please also do get a new record locator as well. |
Originally Posted by Duckle
(Post 34472274)
But point still stands that what they did was illegal, perhaps not to US law but definitely to UK/EU law and as I provided the info to BA as I booked through them it would be a violation of these laws. I'm not looking to seek compensation (unless someone does get ahold of my details) but at the same time I do believe they should be retrained and/or fined. Not necessarily just because it broke the law, but simply because of the stupidity of whichever CS representative posted it on twitter. I cannot fathom how whoever did it could be so oblivious; I've seen many times when the AA Twitter team "strongly advise" customers who tweet them in public with details exactly like this, to delete their tweet and here they go doing the exact opposite.
In the US, victims of data breaches get compensation often because regulators (and data privacy laws) require it. In the EU, the GDPR is much stricter than most US data privacy laws, but companies are allowed to use your data, as long as you've given the proper consent and you haven't revoked that consent, and as long as they have the internal set-up to comply with data privacy laws. In any event, if you don't want your information shared on Twitter, then don't communicate that way. You made your bed, now lie in it. If you're so certain that AA broke the law, (1) where did you go to law school and (2) what specific statute was broken? |
Originally Posted by Duckle
(Post 34472266)
True. If a scammer really wanted to they could get all the details by hanging around at baggage claim. Although in reality they'd be caught after about five minutes when some lovely CBP officer came up to then and asked what the hell they were doing.
But, AA have responded and put a lock and password on my booking The better solution here is to remove your last name from your Twitter handle. If you value privacy this much, you definitely should not have your last name in your Twitter handle. Then, this would have been 100% a non-issue. However, it seems like AA took care of you by locking your PNR. I'd let it go at this point. |
Originally Posted by 777lover
(Post 34471821)
So is it all about compensation?
Originally Posted by Duckle
(Post 34472256)
As aforementioned I could not be expected to believe they would post the record locator in a public forum. Their own rules prohibit this. I was expecting them to say the booking with flight "x", or a flight on this date or reply in a DM.
|
Originally Posted by Duckle
(Post 34472256)
As aforementioned I could not be expected to believe they would post the record locator in a public forum. Their own rules prohibit this. I was expecting them to say the booking with flight "x", or a flight on this date or reply in a DM.
If you had asked in private, but the reply was public, I think you would have a reason to be upset "I wish to complain and get compensation - I shouted across a crowded room for some information and the information was shouted back." |
| All times are GMT -6. The time now is 5:40 pm. |
This site is owned, operated, and maintained by MH Sub I, LLC dba Internet Brands. Copyright © 2026 MH Sub I, LLC dba Internet Brands. All rights reserved. Designated trademarks are the property of their respective owners.