Why are BA still having issues of sending the wrong emails to the wrong people?
Jun 10, 2018, 1:12 pm
#1
Original Poster
Join Date: Jun 2015
Posts: 30
Why are BA still having issues of sending the wrong emails to the wrong people?
I received an email clearly intended for another passenger a few weeks ago. It includes their name and confirmation number and their itinerary, which means if I were a bad actor I could log in to their booking and do some fairly bad things - presumably cancel, change, select seats, order meals, and see a load personal information. Not that I've tried.
I've let BA know and they really don't seem to care. The first email I got back was a generic response with a link to their privacy policy. When I followed up asking if they could explain how this happened, and how I could get some assurance that my own data wasn't being similarly shared with the wrong people, they replied with a short 'sorry we can't answer your query as we don't know why this has happened.'
The thing is I know from browsing here that this has been happening for years. Why can't BA get a grip on the basics of data protection after all this time? Why do they seem so relaxed about something that seems like a systematic breach?
I've let BA know and they really don't seem to care. The first email I got back was a generic response with a link to their privacy policy. When I followed up asking if they could explain how this happened, and how I could get some assurance that my own data wasn't being similarly shared with the wrong people, they replied with a short 'sorry we can't answer your query as we don't know why this has happened.'
The thing is I know from browsing here that this has been happening for years. Why can't BA get a grip on the basics of data protection after all this time? Why do they seem so relaxed about something that seems like a systematic breach?
Jun 10, 2018, 2:32 pm
#3
FlyerTalk Evangelist
Join Date: Nov 2011
Location: Brighton. UK
Programs: BA Gold / VS /IHG Diamond & Ambassador
Posts: 14,192
Complain to the Information Commisioners Office who regulates data protection,
maybe then BA will sort themselves out when the ICO takes an interest.
maybe then BA will sort themselves out when the ICO takes an interest.
Jun 10, 2018, 2:42 pm
#4
Join Date: Jan 2016
Location: South East England
Programs: Status with BA Exec Club; KrisFlyer; Hilton Honors; IHG One; Marriott Bonvoy
Posts: 543
You should probably do both:-
- nudge the CISO or similar senior security person
- wait seven days for a meaningful response — if nothing raise with ICO
also, check back on Ancient Observer’s recent posts here.
Jun 10, 2018, 4:27 pm
#6
Ambassador, British Airways; FlyerTalk Posting Legend
Join Date: Apr 2012
Location: Leeds, UK
Programs: BA GGL/CCR, GfL, HH Diamond
Posts: 42,936
I understand why you are suggesting it, and clearly BA shouldn’t have sent the details to the wrong person, but unauthorised access to someone else’s booking is not recommend as the OP could be committing an offence doing so.
Jun 10, 2018, 4:54 pm
#7
Original Poster
Join Date: Jun 2015
Posts: 30
I haven't done it, but I could most likely notify the passengers without accessing the booking as there's information in the confirmation email that I could use to find them on social media. I'm not super keen on the idea of scaring the pants off someone else by contacting them like that though. Although I do think perhaps BA should disclose the breach to them.
I'm just a bit perplexed that a large corporation in 2018 hasn't got some heavyweight processes in place for this. I'm baffled that this has been going on for years and they haven't prioritised a fix.
I may try and contact the CISO, and the ICO if nothing good comes of that.
I'm just a bit perplexed that a large corporation in 2018 hasn't got some heavyweight processes in place for this. I'm baffled that this has been going on for years and they haven't prioritised a fix.
I may try and contact the CISO, and the ICO if nothing good comes of that.
Jun 10, 2018, 11:55 pm
#8
Join Date: Feb 2009
Location: YYC
Programs: BA bronze, Aeroplan peon
Posts: 4,744
From this link: https://www.britishairways.com/en-ca...rivacy-policy#
If you have further questions please get in touch with us by writing to Data Protection Officer, British Airways Plc, Waterside (HCB3), PO Box 365, Harmondsworth, UB7 0GB, England. "
"Keep your booking reference confidential
When you make a booking, you will be given a booking reference (also known as a PNR or Passenger Name Record). This will appear on the email confirmation or ticket of each person in your booking. You should always keep your booking reference confidential.If you have further questions please get in touch with us by writing to Data Protection Officer, British Airways Plc, Waterside (HCB3), PO Box 365, Harmondsworth, UB7 0GB, England. "
Jun 10, 2018, 11:59 pm
#9
Join Date: Feb 2009
Location: YYC
Programs: BA bronze, Aeroplan peon
Posts: 4,744
Her, I assume.
Sarah Bains, Data Protection Manager at British Airways
https://www.linkedin.com/in/sarah-bains-a9878b8/
Jun 11, 2018, 12:10 am
#10
Join Date: Aug 2013
Posts: 8,764
I haven't done it, but I could most likely notify the passengers without accessing the booking as there's information in the confirmation email that I could use to find them on social media. I'm not super keen on the idea of scaring the pants off someone else by contacting them like that though. Although I do think perhaps BA should disclose the breach to them.
I'm just a bit perplexed that a large corporation in 2018 hasn't got some heavyweight processes in place for this. I'm baffled that this has been going on for years and they haven't prioritised a fix.
I may try and contact the CISO, and the ICO if nothing good comes of that.
I'm just a bit perplexed that a large corporation in 2018 hasn't got some heavyweight processes in place for this. I'm baffled that this has been going on for years and they haven't prioritised a fix.
I may try and contact the CISO, and the ICO if nothing good comes of that.
Jun 11, 2018, 12:38 am
#11
Join Date: Aug 2015
Posts: 540
I've done it in the past. Found the guy's son on Facebook and messaged him. The father thanked me profusely. His email address was nothing like mine.
Jun 11, 2018, 5:05 am
#12
Original Poster
Join Date: Jun 2015
Posts: 30
Nope, not at all similar. And there is in fact a steady stream of posts like mine going back for a while. I'm 99% sure BA have some software issue which means confirmation emails occasionally go to a random, unrelated email address from their database.
Jun 11, 2018, 5:10 am
#13
FlyerTalk Evangelist
Join Date: May 2014
Location: UK
Programs: BA Gold
Posts: 12,254
If you put this other person's details into https://classic.checkmytrip.com/plne...NS&LANGUAGE=GB rather than BA.com you could find an awful lot about them - moreso than you'll see in MMB
This is considerably poor form
This is considerably poor form
Jun 11, 2018, 5:35 am
#15
FlyerTalk Evangelist
Join Date: May 2014
Location: UK
Programs: BA Gold
Posts: 12,254
It's bad ! Especially those social media folks that show their surname and booking ref on a boarding pass !