Data Breach
 

Hey guys, first ever post but I've been reading a lot on this forum and learning a lot so thanks everyone!

A couple of days ago I was speaking with AA on twitter regarding using a friends SWU to upgrade my flight. It was open Twitter not in a DM. I had previously conversed with them in a DM regarding a booking at had securely given over my info.

Anyway, they basically said no regarding my question to the current booking. My question to them didn't include my booking reference so I was unsure how they had it (I forgot I was messaging them a couple of weeks ago). Anyway I asked what booking. They responded saying this booking with my record locater on public display for the world to see.

​​​​​They kept it up there until I alerted them about it. I'm no expert but surely this is a big violation of data protection laws? The record locater has access to passport details, addresses credit cards etc...

Is there anything I should be concerned about? Is there a way to get AA to somehow compensate me? I'm quite a data freak cos I've hear lots of stories of identity theft and don't exactly want that to happen to me!

Any help appreciated

Maybe ask if they can issue you a new record locator. That should be an easy fix.

I will be doing that but it doesn't help the people and the boys on Twitter that could literally take the info and get all my details and I would have no way of knowing if it's happened or not. Surely they should be compensating me for this or be fined? It's definitely breach of some laws?

I'm not really sure you can do much with just the PNR. To look-up on aa.com, you also need a last name.

And, to be honest, every bag tag has both a PNR and last name on it, which anyone could easily see by standing in baggage claim areas while pretending to look for their own bag. While obviously Twitter is a much bigger forum, my point is that if a PNR was PII requiring protection it wouldn't be on bag tags, boarding passes, etc. I think your risk is low.

Twitter account has my surname so they would have everything they need.

I get your point with bag tags but at the same time no one is doing that. Everyone's waiting for their bag to leave and it wouldn't be a reasonable measure for AA to need to limit that. Sharing on twitter with 1.6m followers of which many are bots is vastly different. On AA website you can see passport info, contact info, address in the US a bunch of other things, and if you were to call and make changes they would use the card on file. So I would argue it's a serious breach

Assuming the general public knows your last name based on your twitter account/handle/profile, then yes - someone could access your reservation and cancel or change it. They can't see your payment info, though they would have the flight times, fare paid(sometimes), seat assignments and other info relevant to the flight. They also may be able to see your email and phone number if it's in your record.

I just looked up a future reservation I have in a different browser where I don't log into my account. My Emergency contact name, phone number, trusted traveler number and passport number were all obscured with ****. So your passport number is not at risk of being stolen. However, my full name (including middle) and full AA number were there. Again - not a lot someone can do with that info to steal points.

I don't think you're going to get far asking for compensation for this, but you could ask them to create a new PNR. Then the risk of someone monkeying with your reservation will be mitigated.

I'm curious to ask why you would communicate with them on the public Twitter feed instead of the DM? And I don't think you can request an upgrade with someone else's SWU. The holder of the SWU would have to make the request, which is fairly easy to do on aa.com or by them calling the phone agent - both of which are probably faster than doing it via Twitter.

I have to ask then why you would be communicating with AA about your itinerary in a public thread instead of DM. I think you bear some responsibility here as well. The Twitter agents are probably more used to dealing with individual matters like this in a DM.

I'm also surprised your real last name is in your Twitter handle, but to each his own I guess.

For a bit more clarification it was a big multi city booking made on BA with 5 flights operated by AA. Having access to AA system would give them access from there to the BA reference and I know for a fact that within the OW alliance some reservations could be put into other airlines systems. For example I believe you can access a BA booking on Sri Lankan with a BA reference number. Sri Lankan allows access to passport data and everything else with no further verification. Once there they literally have everything. Even just on AA site you have enough info to call up and get thru security and modify/cancel flights as you wish with all charges billed to card on file.

So I believe it is fairly serious if a professional/bot did see the info
Why Twitter? I was asking a "in theory" question. I was asking whether something would work, not for them to do it. So felt no need for a DM as it was a standard question. When I asked them what booking they were talking about I was expecting the answer to be the date, the flight destination or perhaps a DM, not something confidential

Answered this in my last post but essentially I was conversing in DM weeks ago. Here I was just asking a simple general question so why not public. Didn't realise they'd throw that in my face!

If the tweet with the locator has been deleted, and given the relatively limited amount of PII that a fraudster would be able to access from an AA record locator, I don’t think you need to worry.

But as to whether or not AA owes you compensation, typically you’ll need evidence of actual damages in order to prevail, not just “what if someone does x.”

If this was a thing professional fraudsters wanted to do, they would be camping out in baggage claims, collecting PNRs/last names from the bag tags, as was mentioned above. They would get a million times better return on their time investment to steal identities than waiting for the rare situation in which a PNR/last name combination to be inadvertently posted on Twitter/social media.

I (personally) think you're blowing this out of proportion for what it was, but if you're truly as concerned about your privacy online that you're making it out to be from AA disclosing the record locator, I'd recommend removing your last name from your twitter profile/whereever else you are using it online as it would 1) have prevented this from being an issue in the first place and 2) with your name and the amount of public records available online someone dedicated enough could easily almost all of of the information that would be exposed from the PNR anyways.

Also since it looks like you just joined - welcome. And you probably hit the post limit for a new account so it will probably be a day before we can discuss further.

If the Sri Lankan website shows valuable information from just a booking number, I would expect scammers and bots to be constantly trying random numbers. Are there reports of this being done?

From what I understand, you were communicating on an open channel and you asked the agent what the booking was and the agent replied. Given that you requested the information from the agent on a public channel, I cannot see that there was a data breach

If you're in the US, the AA privacy policy pretty much governs what AA can and can't do with your information: Privacy policy − Support − American Airlines (aa.com)

The AA privacy policy says that you should keep your record locator confidential so it's odd that AA would Tweet it. But the privacy policy specifically allows use of it:

"to complete transactions and fulfill requests for our products and services."

So I don't think you have any claim against AA. Such is life in the US (unlike in the EU).

Recall a discussion year ago about what one can do with somebody's boarding pass left in a seat pocket.

Of course what's the odds that a bad guy like me will be sitting in that uncleaned seat on its next flight

I was watching a repeat of a Dutch travel programme on TV this morning, during which they showed an email from an airline on screen with some details obscured - but not the full name of the passenger, or the PNR.

So is it all about compensation?

AFAIK regarding confidential breaches, not just in this case but in any case, compensation is due regardless of harm or loss. It's why every company who loses clients data compensates them and gets a big fine, even if nothing was done with the data

As aforementioned I could not be expected to believe they would post the record locator in a public forum. Their own rules prohibit this. I was expecting them to say the booking with flight "x", or a flight on this date or reply in a DM.

Its a good thing I booked my ticket with BA then! It should be covered by GDPR rules which are significantly more stringent

True. If a scammer really wanted to they could get all the details by hanging around at baggage claim. Although in reality they'd be caught after about five minutes when some lovely CBP officer came up to then and asked what the hell they were doing.

But, AA have responded and put a lock and password on my booking

But point still stands that what they did was illegal, perhaps not to US law but definitely to UK/EU law and as I provided the info to BA as I booked through them it would be a violation of these laws. I'm not looking to seek compensation (unless someone does get ahold of my details) but at the same time I do believe they should be retrained and/or fined. Not necessarily just because it broke the law, but simply because of the stupidity of whichever CS representative posted it on twitter. I cannot fathom how whoever did it could be so oblivious; I've seen many times when the AA Twitter team "strongly advise" customers who tweet them in public with details exactly like this, to delete their tweet and here they go doing the exact opposite.

I think you're overreacting on this. Regardless of whether we think a PNR is PII or not, the agent made a simple mistake that was easily corrected.

The reality is that no company is going to be fined (or be required to retrain an employee or anything else) by any data protection authority for something like this. In addition to being significantly de minimis (plus is a record locator even PII - I don’t think that is clear), you agreed to usage in the privacy policy.

If you just cannot sleep at night, then report AA to the UK data protection authority then you are done. There are likely thousands of of such reports filed all across EU data privacy regulators every single week. I know you feel strongly about this, but absolutely nothing will happen because of it.

Please also do get a new record locator as well.

Not necessarily.

In the US, victims of data breaches get compensation often because regulators (and data privacy laws) require it.

In the EU, the GDPR is much stricter than most US data privacy laws, but companies are allowed to use your data, as long as you've given the proper consent and you haven't revoked that consent, and as long as they have the internal set-up to comply with data privacy laws.

In any event, if you don't want your information shared on Twitter, then don't communicate that way. You made your bed, now lie in it.

If you're so certain that AA broke the law, (1) where did you go to law school and (2) what specific statute was broken?

CBP is not around domestic baggage claims. I can't remember the last time I even saw even airport police around baggage claims. And, bags lately have been sitting in baggage claims worldwide for days and days due to all the staffing issues. My bag has ended up in that nightmare a few times, and agents have routinely said 'go look for your bag' among a sea of hundreds. It wouldn't be at all difficult to get dozens of PNR/last name combos very quickly.

The better solution here is to remove your last name from your Twitter handle. If you value privacy this much, you definitely should not have your last name in your Twitter handle. Then, this would have been 100% a non-issue. However, it seems like AA took care of you by locking your PNR. I'd let it go at this point.

I second that question. It sounds like a trap.

Quote:

---

Originally Posted by Duckle (Post 34472256)

As aforementioned I could not be expected to believe they would post the record locator in a public forum. Their own rules prohibit this. I was expecting them to say the booking with flight "x", or a flight on this date or reply in a DM.

---

You asked in public about your flight details - the agent replied. That the reply, that seems to address your request, was not what you expected, doesn't take away that you asked for the info

If you had asked in private, but the reply was public, I think you would have a reason to be upset

"I wish to complain and get compensation - I shouted across a crowded room for some information and the information was shouted back."