Data Breach
 

Hey guys, first ever post but I've been reading a lot on this forum and learning a lot so thanks everyone!

A couple of days ago I was speaking with AA on twitter regarding using a friends SWU to upgrade my flight. It was open Twitter not in a DM. I had previously conversed with them in a DM regarding a booking at had securely given over my info.

Anyway, they basically said no regarding my question to the current booking. My question to them didn't include my booking reference so I was unsure how they had it (I forgot I was messaging them a couple of weeks ago). Anyway I asked what booking. They responded saying this booking with my record locater on public display for the world to see.

​​​​​They kept it up there until I alerted them about it. I'm no expert but surely this is a big violation of data protection laws? The record locater has access to passport details, addresses credit cards etc...

Is there anything I should be concerned about? Is there a way to get AA to somehow compensate me? I'm quite a data freak cos I've hear lots of stories of identity theft and don't exactly want that to happen to me!

Any help appreciated

Maybe ask if they can issue you a new record locator. That should be an easy fix.

I will be doing that but it doesn't help the people and the boys on Twitter that could literally take the info and get all my details and I would have no way of knowing if it's happened or not. Surely they should be compensating me for this or be fined? It's definitely breach of some laws?

I'm not really sure you can do much with just the PNR. To look-up on aa.com, you also need a last name.

And, to be honest, every bag tag has both a PNR and last name on it, which anyone could easily see by standing in baggage claim areas while pretending to look for their own bag. While obviously Twitter is a much bigger forum, my point is that if a PNR was PII requiring protection it wouldn't be on bag tags, boarding passes, etc. I think your risk is low.

Twitter account has my surname so they would have everything they need.

I get your point with bag tags but at the same time no one is doing that. Everyone's waiting for their bag to leave and it wouldn't be a reasonable measure for AA to need to limit that. Sharing on twitter with 1.6m followers of which many are bots is vastly different. On AA website you can see passport info, contact info, address in the US a bunch of other things, and if you were to call and make changes they would use the card on file. So I would argue it's a serious breach

Assuming the general public knows your last name based on your twitter account/handle/profile, then yes - someone could access your reservation and cancel or change it. They can't see your payment info, though they would have the flight times, fare paid(sometimes), seat assignments and other info relevant to the flight. They also may be able to see your email and phone number if it's in your record.

I just looked up a future reservation I have in a different browser where I don't log into my account. My Emergency contact name, phone number, trusted traveler number and passport number were all obscured with ****. So your passport number is not at risk of being stolen. However, my full name (including middle) and full AA number were there. Again - not a lot someone can do with that info to steal points.

I don't think you're going to get far asking for compensation for this, but you could ask them to create a new PNR. Then the risk of someone monkeying with your reservation will be mitigated.

I'm curious to ask why you would communicate with them on the public Twitter feed instead of the DM? And I don't think you can request an upgrade with someone else's SWU. The holder of the SWU would have to make the request, which is fairly easy to do on aa.com or by them calling the phone agent - both of which are probably faster than doing it via Twitter.

I have to ask then why you would be communicating with AA about your itinerary in a public thread instead of DM. I think you bear some responsibility here as well. The Twitter agents are probably more used to dealing with individual matters like this in a DM.

I'm also surprised your real last name is in your Twitter handle, but to each his own I guess.

For a bit more clarification it was a big multi city booking made on BA with 5 flights operated by AA. Having access to AA system would give them access from there to the BA reference and I know for a fact that within the OW alliance some reservations could be put into other airlines systems. For example I believe you can access a BA booking on Sri Lankan with a BA reference number. Sri Lankan allows access to passport data and everything else with no further verification. Once there they literally have everything. Even just on AA site you have enough info to call up and get thru security and modify/cancel flights as you wish with all charges billed to card on file.

So I believe it is fairly serious if a professional/bot did see the info
Why Twitter? I was asking a "in theory" question. I was asking whether something would work, not for them to do it. So felt no need for a DM as it was a standard question. When I asked them what booking they were talking about I was expecting the answer to be the date, the flight destination or perhaps a DM, not something confidential

Answered this in my last post but essentially I was conversing in DM weeks ago. Here I was just asking a simple general question so why not public. Didn't realise they'd throw that in my face!

If the tweet with the locator has been deleted, and given the relatively limited amount of PII that a fraudster would be able to access from an AA record locator, I don’t think you need to worry.

But as to whether or not AA owes you compensation, typically you’ll need evidence of actual damages in order to prevail, not just “what if someone does x.”

If this was a thing professional fraudsters wanted to do, they would be camping out in baggage claims, collecting PNRs/last names from the bag tags, as was mentioned above. They would get a million times better return on their time investment to steal identities than waiting for the rare situation in which a PNR/last name combination to be inadvertently posted on Twitter/social media.

I (personally) think you're blowing this out of proportion for what it was, but if you're truly as concerned about your privacy online that you're making it out to be from AA disclosing the record locator, I'd recommend removing your last name from your twitter profile/whereever else you are using it online as it would 1) have prevented this from being an issue in the first place and 2) with your name and the amount of public records available online someone dedicated enough could easily almost all of of the information that would be exposed from the PNR anyways.

Also since it looks like you just joined - welcome. And you probably hit the post limit for a new account so it will probably be a day before we can discuss further.

If the Sri Lankan website shows valuable information from just a booking number, I would expect scammers and bots to be constantly trying random numbers. Are there reports of this being done?

From what I understand, you were communicating on an open channel and you asked the agent what the booking was and the agent replied. Given that you requested the information from the agent on a public channel, I cannot see that there was a data breach

If you're in the US, the AA privacy policy pretty much governs what AA can and can't do with your information: Privacy policy − Support − American Airlines (aa.com)

The AA privacy policy says that you should keep your record locator confidential so it's odd that AA would Tweet it. But the privacy policy specifically allows use of it:

"to complete transactions and fulfill requests for our products and services."

So I don't think you have any claim against AA. Such is life in the US (unlike in the EU).

Recall a discussion year ago about what one can do with somebody's boarding pass left in a seat pocket.

Of course what's the odds that a bad guy like me will be sitting in that uncleaned seat on its next flight