Data Breach
#16
FlyerTalk Evangelist
Join Date: Mar 2008
Location: Netherlands
Programs: KL Platinum; A3 Gold
Posts: 28,730
I
And, to be honest, every bag tag has both a PNR and last name on it, which anyone could easily see by standing in baggage claim areas while pretending to look for their own bag. While obviously Twitter is a much bigger forum, my point is that if a PNR was PII requiring protection it wouldn't be on bag tags, boarding passes, etc. I think your risk is low.
And, to be honest, every bag tag has both a PNR and last name on it, which anyone could easily see by standing in baggage claim areas while pretending to look for their own bag. While obviously Twitter is a much bigger forum, my point is that if a PNR was PII requiring protection it wouldn't be on bag tags, boarding passes, etc. I think your risk is low.
#17
Join Date: Oct 2002
Posts: 1,701
So is it all about compensation?
Hey guys, first ever post but I've been reading a lot on this forum and learning a lot so thanks everyone!
A couple of days ago I was speaking with AA on twitter regarding using a friends SWU to upgrade my flight. It was open Twitter not in a DM. I had previously conversed with them in a DM regarding a booking at had securely given over my info.
Anyway, they basically said no regarding my question to the current booking. My question to them didn't include my booking reference so I was unsure how they had it (I forgot I was messaging them a couple of weeks ago). Anyway I asked what booking. They responded saying this booking with my record locater on public display for the world to see.
They kept it up there until I alerted them about it. I'm no expert but surely this is a big violation of data protection laws? The record locater has access to passport details, addresses credit cards etc...
Is there anything I should be concerned about? Is there a way to get AA to somehow compensate me? I'm quite a data freak cos I've hear lots of stories of identity theft and don't exactly want that to happen to me!
Any help appreciated
A couple of days ago I was speaking with AA on twitter regarding using a friends SWU to upgrade my flight. It was open Twitter not in a DM. I had previously conversed with them in a DM regarding a booking at had securely given over my info.
Anyway, they basically said no regarding my question to the current booking. My question to them didn't include my booking reference so I was unsure how they had it (I forgot I was messaging them a couple of weeks ago). Anyway I asked what booking. They responded saying this booking with my record locater on public display for the world to see.
They kept it up there until I alerted them about it. I'm no expert but surely this is a big violation of data protection laws? The record locater has access to passport details, addresses credit cards etc...
Is there anything I should be concerned about? Is there a way to get AA to somehow compensate me? I'm quite a data freak cos I've hear lots of stories of identity theft and don't exactly want that to happen to me!
Any help appreciated
#18
Original Poster
Join Date: May 2022
Posts: 501
AFAIK regarding confidential breaches, not just in this case but in any case, compensation is due regardless of harm or loss. It's why every company who loses clients data compensates them and gets a big fine, even if nothing was done with the data
#19
Original Poster
Join Date: May 2022
Posts: 501
As aforementioned I could not be expected to believe they would post the record locator in a public forum. Their own rules prohibit this. I was expecting them to say the booking with flight "x", or a flight on this date or reply in a DM.
#20
Original Poster
Join Date: May 2022
Posts: 501
If you're in the US, the AA privacy policy pretty much governs what AA can and can't do with your information: Privacy policy − Support − American Airlines (aa.com)
The AA privacy policy says that you should keep your record locator confidential so it's odd that AA would Tweet it. But the privacy policy specifically allows use of it:
"to complete transactions and fulfill requests for our products and services."
So I don't think you have any claim against AA. Such is life in the US (unlike in the EU).
The AA privacy policy says that you should keep your record locator confidential so it's odd that AA would Tweet it. But the privacy policy specifically allows use of it:
"to complete transactions and fulfill requests for our products and services."
So I don't think you have any claim against AA. Such is life in the US (unlike in the EU).
#21
Original Poster
Join Date: May 2022
Posts: 501
If this was a thing professional fraudsters wanted to do, they would be camping out in baggage claims, collecting PNRs/last names from the bag tags, as was mentioned above. They would get a million times better return on their time investment to steal identities than waiting for the rare situation in which a PNR/last name combination to be inadvertently posted on Twitter/social media.
I (personally) think you're blowing this out of proportion for what it was, but if you're truly as concerned about your privacy online that you're making it out to be from AA disclosing the record locator, I'd recommend removing your last name from your twitter profile/whereever else you are using it online as it would 1) have prevented this from being an issue in the first place and 2) with your name and the amount of public records available online someone dedicated enough could easily almost all of of the information that would be exposed from the PNR anyways.
Also since it looks like you just joined - welcome. And you probably hit the post limit for a new account so it will probably be a day before we can discuss further.
I (personally) think you're blowing this out of proportion for what it was, but if you're truly as concerned about your privacy online that you're making it out to be from AA disclosing the record locator, I'd recommend removing your last name from your twitter profile/whereever else you are using it online as it would 1) have prevented this from being an issue in the first place and 2) with your name and the amount of public records available online someone dedicated enough could easily almost all of of the information that would be exposed from the PNR anyways.
Also since it looks like you just joined - welcome. And you probably hit the post limit for a new account so it will probably be a day before we can discuss further.
But, AA have responded and put a lock and password on my booking
#22
Original Poster
Join Date: May 2022
Posts: 501
But point still stands that what they did was illegal, perhaps not to US law but definitely to UK/EU law and as I provided the info to BA as I booked through them it would be a violation of these laws. I'm not looking to seek compensation (unless someone does get ahold of my details) but at the same time I do believe they should be retrained and/or fined. Not necessarily just because it broke the law, but simply because of the stupidity of whichever CS representative posted it on twitter. I cannot fathom how whoever did it could be so oblivious; I've seen many times when the AA Twitter team "strongly advise" customers who tweet them in public with details exactly like this, to delete their tweet and here they go doing the exact opposite.
#23
Join Date: Feb 2003
Location: Washington, DC
Programs: AA Executive Platinum/Million Miler, Marriott Titanium Elite-Lifetime, Hilton Gold
Posts: 3,210
I think you're overreacting on this. Regardless of whether we think a PNR is PII or not, the agent made a simple mistake that was easily corrected.
Last edited by USFlyerUS; Jul 30, 2022 at 3:08 pm
#24
Join Date: May 2010
Location: DFW Area
Programs: AA ConciergeKey; Hyatt Globalist
Posts: 392
The reality is that no company is going to be fined (or be required to retrain an employee or anything else) by any data protection authority for something like this. In addition to being significantly de minimis (plus is a record locator even PII - I don’t think that is clear), you agreed to usage in the privacy policy.
If you just cannot sleep at night, then report AA to the UK data protection authority then you are done. There are likely thousands of of such reports filed all across EU data privacy regulators every single week. I know you feel strongly about this, but absolutely nothing will happen because of it.
Please also do get a new record locator as well.
If you just cannot sleep at night, then report AA to the UK data protection authority then you are done. There are likely thousands of of such reports filed all across EU data privacy regulators every single week. I know you feel strongly about this, but absolutely nothing will happen because of it.
Please also do get a new record locator as well.
#25
Suspended
Join Date: Sep 2019
Posts: 2,094
But point still stands that what they did was illegal, perhaps not to US law but definitely to UK/EU law and as I provided the info to BA as I booked through them it would be a violation of these laws. I'm not looking to seek compensation (unless someone does get ahold of my details) but at the same time I do believe they should be retrained and/or fined. Not necessarily just because it broke the law, but simply because of the stupidity of whichever CS representative posted it on twitter. I cannot fathom how whoever did it could be so oblivious; I've seen many times when the AA Twitter team "strongly advise" customers who tweet them in public with details exactly like this, to delete their tweet and here they go doing the exact opposite.
In the US, victims of data breaches get compensation often because regulators (and data privacy laws) require it.
In the EU, the GDPR is much stricter than most US data privacy laws, but companies are allowed to use your data, as long as you've given the proper consent and you haven't revoked that consent, and as long as they have the internal set-up to comply with data privacy laws.
In any event, if you don't want your information shared on Twitter, then don't communicate that way. You made your bed, now lie in it.
If you're so certain that AA broke the law, (1) where did you go to law school and (2) what specific statute was broken?
#26
Join Date: Feb 2003
Location: Washington, DC
Programs: AA Executive Platinum/Million Miler, Marriott Titanium Elite-Lifetime, Hilton Gold
Posts: 3,210
True. If a scammer really wanted to they could get all the details by hanging around at baggage claim. Although in reality they'd be caught after about five minutes when some lovely CBP officer came up to then and asked what the hell they were doing.
But, AA have responded and put a lock and password on my booking
But, AA have responded and put a lock and password on my booking
The better solution here is to remove your last name from your Twitter handle. If you value privacy this much, you definitely should not have your last name in your Twitter handle. Then, this would have been 100% a non-issue. However, it seems like AA took care of you by locking your PNR. I'd let it go at this point.
#27
Join Date: Nov 2021
Location: DFW
Programs: AA PlatPro, AS
Posts: 142
I second that question. It sounds like a trap.
#28
A FlyerTalk Posting Legend
Join Date: Jan 2002
Posts: 44,597
If you had asked in private, but the reply was public, I think you would have a reason to be upset
"I wish to complain and get compensation - I shouted across a crowded room for some information and the information was shouted back."