Strange reply from Exec Club - GDPR or phishing
#1
Original Poster
Join Date: May 2008
Programs: GGL
Posts: 269
Strange reply from Exec Club - GDPR or phishing
I did send an email to Exec Club and I got this reply. Safe to say I have NOT submitted the requested information.
Thank you for contacting us at The Club - it's good to hear from you.
We're usually quick to respond and will be in touch with you as soon as possible - you don't need to send your query again at any time.
In order to make sure we continue to securely protect your data, we’ve revised our validation procedures, allowing us to discuss your details or bookings with you. This ensures that your data continues to be held securely and we only discuss issues with you or a person you have given us the authority to act on your behalf.
For all your future account queries (including the email you’ve just sent to us), you will need to provide the following information in your enquiry before we can answer you:
• The registered postal address on your account
• Your date of birth or passport number
Please also make sure you've given us your account number.
We thank you so much for your support and cooperation with this.
Finally, if you’re due to travel within the next 48 hours or if you need to talk to us urgently, you might like to consider calling through to your dedicated support team.
Kind regards
British Airways
Thank you for contacting us at The Club - it's good to hear from you.
We're usually quick to respond and will be in touch with you as soon as possible - you don't need to send your query again at any time.
In order to make sure we continue to securely protect your data, we’ve revised our validation procedures, allowing us to discuss your details or bookings with you. This ensures that your data continues to be held securely and we only discuss issues with you or a person you have given us the authority to act on your behalf.
For all your future account queries (including the email you’ve just sent to us), you will need to provide the following information in your enquiry before we can answer you:
• The registered postal address on your account
• Your date of birth or passport number
Please also make sure you've given us your account number.
We thank you so much for your support and cooperation with this.
Finally, if you’re due to travel within the next 48 hours or if you need to talk to us urgently, you might like to consider calling through to your dedicated support team.
Kind regards
British Airways
#2
Suspended
Join Date: Aug 2010
Location: DCA
Programs: UA US CO AA DL FL
Posts: 50,262
As you have stated that the email is a reply to one you sent and you are also not being asked to "click through" to a form, it is extraordinarily unlikely to be a phishing exercise.
If you are remotely concerned, do not respond to the email, but send a new one, including the original question and the newly-required identification information.
If you are queasy about sending this information via email, you may, of course, call in and provide the question and verification over the phone.
If you are remotely concerned, do not respond to the email, but send a new one, including the original question and the newly-required identification information.
If you are queasy about sending this information via email, you may, of course, call in and provide the question and verification over the phone.
#3
FlyerTalk Evangelist
Join Date: Nov 2011
Location: Brighton. UK
Programs: BA Gold / VS /IHG Diamond & Ambassador
Posts: 14,191
what email address did it come from - not what it says in the header - but when you click on / hover a mouse over it?
A few things that come to mind -
1. I've never seen an email from exec club that refers to it as 'The Club'
2. The second sentence is not (to me) usual BA speak
3. address etc I would only give this in a phone call that I made to BA and not in an email.
A few things that come to mind -
1. I've never seen an email from exec club that refers to it as 'The Club'
2. The second sentence is not (to me) usual BA speak
3. address etc I would only give this in a phone call that I made to BA and not in an email.
#4
Ambassador, British Airways; FlyerTalk Posting Legend
Join Date: Apr 2012
Location: Leeds, UK
Programs: BA GGL/CCR, GfL, HH Diamond
Posts: 42,936
This is the standard recent email from the GGL team - I assume this is replying to your email to the normal GGL email address? When sending emails to the GGL team in the future you need to include the requested information.
#5
Original Poster
Join Date: May 2008
Programs: GGL
Posts: 269
Yes and wow. I won't be emailing them in the future. In my opinion this is really poor practice.
#6
Join Date: Sep 2010
Location: Las Vegas
Programs: BA Gold; Hilton Honors Diamond
Posts: 3,227
I certainly would not be submitting the required information. Irrespective of whether it's a genuine e-mail or not, given the prevalence of phishing type mails and the attendant risks of replying or opening attachments etc. companies need to find better ways of validating the identity of their customers. Without wishing to get into another discussion about the state of BA's IT capabilities, things like strong passwords and two-factor authentication would greatly improve security.
Looking at the message the OP has quoted the glaring red flag in my opinion is the use of "The Club" to describe the British Airways Executive Club. That in itself would give me serious cause for concern.
Looking at the message the OP has quoted the glaring red flag in my opinion is the use of "The Club" to describe the British Airways Executive Club. That in itself would give me serious cause for concern.
#7
Ambassador, British Airways; FlyerTalk Posting Legend
Join Date: Apr 2012
Location: Leeds, UK
Programs: BA GGL/CCR, GfL, HH Diamond
Posts: 42,936
why? How would you suggest they check your identity so they can deal with your instructions in the email? I am sure you’ll already be familiar with similar questions when calling them.
#8
Join Date: Jul 2005
Location: London, ARN, HEL, ..... or MAN
Programs: BA GGL / GFL, Mucci Diamond!, HH Diamond, Radisson Premium, IHG Gold, Hertz Gold
Posts: 5,892
I'd agree it's not good - or right, sending this kind of PII - personal information - over public email. Anyway, even when I do email the requested info with my original mail, they still respond asking for the same information all over again. I can't see any justification under GDPR for this change in policy and it dilutes the benefit of being able to email the GGL team. I don't know of any other supplier who asks for this kind of "confirmation" information over public email. When calling, if they're recording the call, they should be stopping the recording when this information is given over the phone as well - just as reputable companies do when you're providing credit card information.
#9
Ambassador, British Airways; FlyerTalk Posting Legend
Join Date: Apr 2012
Location: Leeds, UK
Programs: BA GGL/CCR, GfL, HH Diamond
Posts: 42,936
I certainly would not be submitting the required information. Irrespective of whether it's a genuine e-mail or not, given the prevalence of phishing type mails and the attendant risks of replying or opening attachments etc. companies need to find better ways of validating the identity of their customers. Without wishing to get into another discussion about the state of BA's IT capabilities, things like strong passwords and two-factor authentication would greatly improve security.
Looking at the message the OP has quoted the glaring red flag in my opinion is the use of "The Club" to describe the British Airways Executive Club. That in itself would give me serious cause for concern.
Looking at the message the OP has quoted the glaring red flag in my opinion is the use of "The Club" to describe the British Airways Executive Club. That in itself would give me serious cause for concern.
#10
Join Date: Jan 2011
Location: London, UK
Programs: BAGGL, A3G, Accor Gold, Hilton Diamond, IHG Diamond, LHW Sterling
Posts: 1,308
I’m sorry , as I’ve basically missed the whole GDPR thing as been away from uk whilst it was going on, but is this new request connnected to that.
Is the idea that BA might inadvertently give your details out so they ask for additional verification? But to request customers email every time this seems strange - almost feels like it adds more risk , as your details are flying around emails all the time. Happy to be educated here !
Is the idea that BA might inadvertently give your details out so they ask for additional verification? But to request customers email every time this seems strange - almost feels like it adds more risk , as your details are flying around emails all the time. Happy to be educated here !
#11
Ambassador, British Airways; FlyerTalk Posting Legend
Join Date: Apr 2012
Location: Leeds, UK
Programs: BA GGL/CCR, GfL, HH Diamond
Posts: 42,936
I’m sorry , as I’ve basically missed the whole GDPR thing as been away from uk whilst it was going on, but is this new request connnected to that.
Is the idea that BA might inadvertently give your details out so they ask for additional verification? But to request customers email every time this seems strange - almost feels like it adds more risk , as your details are flying around emails all the time. Happy to be educated here !
Is the idea that BA might inadvertently give your details out so they ask for additional verification? But to request customers email every time this seems strange - almost feels like it adds more risk , as your details are flying around emails all the time. Happy to be educated here !
#12
Join Date: Sep 2010
Location: Las Vegas
Programs: BA Gold; Hilton Honors Diamond
Posts: 3,227
Then I have to say it's a very badly written email that, certainly to my eye, gives cause for concern. I fully understand that need for the GGL team to be able to verify that they are dealing with the correct customer and carrying out their legitimate instructions but from the customer's perspective I think it's important that they can equally be sure that any request for personally identifiable information is genuine. The style and form of that e-mail - to me, at least - comes across as a phishing attempt.
#13
Join Date: Jul 2005
Location: London, ARN, HEL, ..... or MAN
Programs: BA GGL / GFL, Mucci Diamond!, HH Diamond, Radisson Premium, IHG Gold, Hertz Gold
Posts: 5,892
I’m sorry , as I’ve basically missed the whole GDPR thing as been away from uk whilst it was going on, but is this new request connnected to that.
Is the idea that BA might inadvertently give your details out so they ask for additional verification? But to request customers email every time this seems strange - almost feels like it adds more risk , as your details are flying around emails all the time. Happy to be educated here !
Is the idea that BA might inadvertently give your details out so they ask for additional verification? But to request customers email every time this seems strange - almost feels like it adds more risk , as your details are flying around emails all the time. Happy to be educated here !
I know that the GGL team ask you for this information when you call - but my assumption previously was that your email address confirmed you as the right person if the email address was the same one registered with BAEC. Sending passport number and / or date of birth along with Exec Club number in an email is asking for problems, especially as you're also likely to have a PNR in the email as well. Once this information is received by BAEC and validated, it should be deleted, encrypted or anonymised - but I bet it isn't as it appears to be all held in BA's enormous document management system.
#14
Moderator: British Airways Executive Club
Join Date: Jan 2009
Programs: Battleaxe Alliance
Posts: 22,127
This is indeed the standard email from the GGL team.
The email to which this reply was sent in response will also need to be followed up with those details. It's not too clear from their email as quoted above but if you don't send them those details, you will receive another email from them saying that they can't do anything until you supply those details (at least that was the case with me).
Funnily enough I sent the GGL team a grumpy email about something that had nothing to do with BAEC and still got this response (which, I admit, made me feel slightly more grumpy). Then the CR called on my registered mobile number in response (after I supplied the requested details by email), and then wanted to go through lots of security questions again. I was thinking... "Ummmm you called my number registered on my BAEC account, and you still want me to supply all that info?" although I didn't say anything because it's not the agent that decides on that kind of policy, but whoever makes that policy (the legal team??) and I did not want the CR agent to suffer more whinges from me!
Last edited by LTN Phobia; Jun 26, 2018 at 1:13 pm
#15
Ambassador, British Airways; FlyerTalk Posting Legend
Join Date: Apr 2012
Location: Leeds, UK
Programs: BA GGL/CCR, GfL, HH Diamond
Posts: 42,936
Then I have to say it's a very badly written email that, certainly to my eye, gives cause for concern. I fully understand that need for the GGL team to be able to verify that they are dealing with the correct customer and carrying out their legitimate instructions but from the customer's perspective I think it's important that they can equally be sure that any request for personally identifiable information is genuine. The style and form of that e-mail - to me, at least - comes across as a phishing attempt.
Just to clarify, it has not been sent out as a mass email by the team but is being sent out on an individual basis as a reply to emails to them since the changes took effect if the email from the member doesn’t contain the information requested.