Strange reply from Exec Club - GDPR or phishing
Jun 26, 2018, 4:06 pm
#31
Join Date: Jul 2014
Location: WAW ✈ LHR ✈ GLA
Programs: BA GfL/GGL/CCR, HH Diamond, IHG Diamond Ambassador
Posts: 2,499
Well absolutely. Except I sent a message recently to YouFirst from inside my BAEC account, asking for the menu on my booking reference XXXXX for upcoming flight number XXX on {date} . I got an emailed reply telling me that, due to GDPR, they couldn't talk to me about my booking without me giving them three bits of info from the following list: BAEC number, telephone number associated with the booking, name of person who paid for the booking, postal address associated with the booking, passport number, date of birth.
The email to BA that was generated by my query from within my logged-in account that was forwarded to me as part of the request for more info included at the bottom: my BAEC number, the telephone number associated with the booking, and my name (ie also the person who paid for the booking). So I sent the exact same info back by return email, and they gave me the menus. Beyond ridiculous - particularly as menus have absolutely nothing to do with my personal data...!!
The email to BA that was generated by my query from within my logged-in account that was forwarded to me as part of the request for more info included at the bottom: my BAEC number, the telephone number associated with the booking, and my name (ie also the person who paid for the booking). So I sent the exact same info back by return email, and they gave me the menus. Beyond ridiculous - particularly as menus have absolutely nothing to do with my personal data...!!
1. they shouldn't ask for any personal information over the email - email is sent as a plain text and any servet between sender and recipient can read it's content.
2. BA prefers to save money and impose idiotic policy, than train their staff properly and apply some common sense.
Jun 26, 2018, 4:16 pm
#32
Join Date: Dec 2009
Location: Arizona
Programs: BA (GGL G4L), AA (Gold), HH (Diamond); Marriott (Gold)
Posts: 3,011
It's not new that BA does not understand what their obligations are regarding GDPR regulation.
1. they shouldn't ask for any personal information over the email - email is sent as a plain text and any servet between sender and recipient can read it's content.
2. BA prefers to save money and impose idiotic policy, than train their staff properly and apply some common sense.
1. they shouldn't ask for any personal information over the email - email is sent as a plain text and any servet between sender and recipient can read it's content.
2. BA prefers to save money and impose idiotic policy, than train their staff properly and apply some common sense.
Jun 26, 2018, 5:42 pm
#33
A FlyerTalk Posting Legend
Join Date: Jan 2002
Posts: 44,581
It's not new that BA does not understand what their obligations are regarding GDPR regulation.
1. they shouldn't ask for any personal information over the email - email is sent as a plain text and any servet between sender and recipient can read it's content.
2. BA prefers to save money and impose idiotic policy, than train their staff properly and apply some common sense.
1. they shouldn't ask for any personal information over the email - email is sent as a plain text and any servet between sender and recipient can read it's content.
2. BA prefers to save money and impose idiotic policy, than train their staff properly and apply some common sense.
Jun 26, 2018, 6:21 pm
#34
Join Date: Nov 2007
Location: UK
Programs: BA Silver, AA Gold, A3 Gold, Honors Diamond, Bonvoy Gold
Posts: 1,251
Email encryption at the server level is not end to end encryption between origin and destination servers but point to point encryption between servers which pass the message from origin to destination.
As an example, if the email originated from server A, was destined for server C but passed through server B as a relay en route, there would be encryption between A and B and then B and C. The email couldn’t be intercepted whilst in flight between servers but server A, B and C can all read the message content unless the message is encrypted at the client level (most email isn’t).
As an example, if the email originated from server A, was destined for server C but passed through server B as a relay en route, there would be encryption between A and B and then B and C. The email couldn’t be intercepted whilst in flight between servers but server A, B and C can all read the message content unless the message is encrypted at the client level (most email isn’t).
Jun 26, 2018, 6:35 pm
#35
Moderator, Iberia Airlines, Airport Lounges, and Ambassador, British Airways Executive Club
Join Date: Feb 2010
Programs: BA Lifetime Gold; Flying Blue Life Platinum; LH Sen.; Hilton Diamond; Kemal Kebabs Prized Customer
Posts: 63,779
While the approach BA is taking here is not the brightest approach, most modern email servers use encryption now to prevent man in the middle attacks. So while the contents of an email are unlikely to be encrypted on the machine of the end user or BA, I’m less concerned about this than I would have been 5 years ago.
Jun 26, 2018, 6:52 pm
#36
Original Poster
Join Date: May 2008
Programs: GGL
Posts: 269
Personal choice is not to send this information via email to what appears to be a robot. I am fully versed in email encryption technologies but I also understand how to spoof email clients and manipulate mail headers .
If my bank asked for similar information, even if I had initiated the email conversation, I would not send it. I would actually change who I bank with.
Anyway, happy it was not something more sinister.
If my bank asked for similar information, even if I had initiated the email conversation, I would not send it. I would actually change who I bank with.
Anyway, happy it was not something more sinister.
Jun 26, 2018, 7:10 pm
#39
FlyerTalk Evangelist
Join Date: Mar 2014
Location: 4éme
Posts: 12,037
While the approach BA is taking here is not the brightest approach, most modern email servers use encryption now to prevent man in the middle attacks. So while the contents of an email are unlikely to be encrypted on the machine of the end user or BA, I’m less concerned about this than I would have been 5 years ago.
contact.britishairways.com mail exchanger = 0 britishairways-com.mail.protection.outlook.com
Jun 26, 2018, 10:42 pm
#40
Moderator: British Airways Executive Club
Join Date: Jan 2009
Programs: Battleaxe Alliance
Posts: 22,127
In some cases security checks should not even be necessary. If all the data associated with the account to which the flight is requested to be credited and the flight booking match, there should not even be any need to verify who sent the email, but rather, simply verify the flight and the account match. It's not as if the email is trying to make a redemption request, or that it is harming the account holder.
Adding a layer of inconvenience when the customer has already been inconvenienced whether it is genuinely intended to be in the interest of security or not is not good customer service.
I fully recognise the need to ensure customer security and legal compliance but if this is the inconvenient consequence of the GDPR, I have to say it has not been designed (or implemented) with the broad consumer protection in mind. There is more to protect than privacy, e.g. time.
I value my time as much as privacy and there should be a much simpler solution than to use very rudimentary, easily-available information for security verification - seems like a window-dressing solution that does not achieve much.
Jun 27, 2018, 2:39 am
#42
Join Date: Dec 2012
Programs: GGLfL
Posts: 1,126
It would be extremely foolish of anyone to send all their personally identifiable information in an email:
- emailing is not necessarily secure and can be intercepted
- a data breach will result in all your account information being in the wrong hands
- knowing that BA sends such requests increases the likelihood of people falling victim to a pfishing email, requesting the same information
To be clear, GDPR does not require BA to ask for this. It requires BA to keep our personal data secure. Ironically, it is making our personal data LESS secure by asking it to be written in an email.
I am refusing to disclose all PII in email form to GGL. I suggest others do the same. The objections are being notes and fed up the chain.
Someone in BA - worrying if it the DPO - doesn't understand what GDPR is about.
- emailing is not necessarily secure and can be intercepted
- a data breach will result in all your account information being in the wrong hands
- knowing that BA sends such requests increases the likelihood of people falling victim to a pfishing email, requesting the same information
To be clear, GDPR does not require BA to ask for this. It requires BA to keep our personal data secure. Ironically, it is making our personal data LESS secure by asking it to be written in an email.
I am refusing to disclose all PII in email form to GGL. I suggest others do the same. The objections are being notes and fed up the chain.
Someone in BA - worrying if it the DPO - doesn't understand what GDPR is about.
Jun 27, 2018, 3:12 am
#43
Join Date: Apr 2016
Location: Isle of Man
Programs: IHG Platinum Elite, BA Pleb
Posts: 347
Then the CR called on my registered mobile number in response (after I supplied the requested details by email), and then wanted to go through lots of security questions again. I was thinking... "Ummmm you called my number registered on my BAEC account, and you still want me to supply all that info?" although I didn't say anything because it's not the agent that decides on that kind of policy, but whoever makes that policy (the legal team??)
I work in debt advice and have to go through this every time I ring someone, becuase of the potential consequences of divulging debt problem information to the wrong person. It is a faff, but there we are.
I certainly wouldn't send that information by email. My organisation will only send that sort of information by email where we can encrypt it, either the email itself or by sending an encrypted PDF document as an attachment.
Jun 27, 2018, 3:13 am
#44
Join Date: Nov 2012
Location: Rhineland-Palatinate
Programs: *A Gold (A3), HHonor Gold
Posts: 5,693
Who does ? Seriously there are far more poor implementation showing more or less clear misunderstanding that correct ones. Notwithstanding the one not respecting with (hello Internet Brands) or without intent.
Jun 27, 2018, 3:23 am
#45
Join Date: Dec 2012
Programs: GGLfL
Posts: 1,126
You need to understand much about GDPR, to know it's about ensuring personal data is kept secure. Asking for you to disclose all your personal data relating to your BAEC in an email "because of GDPR" is not only ignorant, it's irresponsible too.