Personal Information - new procedure making my information less secure!
 

Curious to know how others have dealt with this issue...

Since the beginning of this year when BA changed their personal information policy to adapt to the new GDPR requirements, I have had numerous instances where I've needed to contact the GGL line to make an urgent change to my booking. Usually this occurs during IRROPS and I'm sitting in a crowded lounge, terminal, train, or terminal transfer bus. With the new policy, I now have to read out almost all my personal details (BAEC #, name, home address, DOB, email address) in order to have any sort of discussion about the real content of my call. Anyone within earshot (or with an iPhone) could just jot all this down and call back with complete access to my account.

I realize that BA is indeed trying to protect us (and themselves), but I truly feel that I am now more exposed - and I might as well just post this all on a signboard for everyone to see. For me, this makes calling the GGL line any time I'm not sitting in a completely private space a very risky endeavour.

No other travel vendor I deal with (airline, hotel, rental car company) asks for this level of detail. They all have a password, a PIN, security questions, and/or can match the incoming caller ID with my profile as a first step in the process.

I think BA really needs to step back and reevaluate this process so we can all be more secure!

Have others had this same experience?

Absolutely. It's a mess and is a completely back-to-front / inverse interpretation of GDPR. There have been other threads on this recently and I think I read a story that a guy who works in information security has raised a complaint to the ICO..

Here's another thread... https://www.flyertalk.com/forum/brit...n-etc-etc.html

It's utter madness. I banked with First Direct for quite a long time and the phone banking was excellent - you had to set a password with them and they asked you "can you give me letter 4 and 7 from the password please" - which was much more secure.
I have been known at the end of all the nonsense you have to go through with BA to say "and my inside leg measurement is 32"
There MUST be a better way!

When I complained about their disregard of GDPR, - they sent our APIS data to us via open e-mails.

here is their reply........

It shows they could not care less...............


Thank you for your mail. My apologies for not responding earlier, we were in the process of investigating this issue. From reviewing the series of events, we have been able to identify how the incident occurred. As you correctly stated in your email, both you and your wife’s APIS data should not have been sent by unencrypted email. I have involved the relevant departments to review and amend their processes with reference to the General Data Protection Regulation – GDPR. (UK Data Protection Act 2018). Even though this unfortunate event has occurred with your booking information – APIS details. I can assure you that British Airways processes are secure and robust. We take protection of personal data very seriously. Thank you for informing us about this issue, I would like to apologise for this data incident and recognise the inconvenience that this has caused you.


"Secure and robust"........????

As to voice communications, it is far from ludicrous. It is the natural consequence of GDPR and the mindset which it has created.

If you choose voice communications to communicate, you must take care to assure that your end of the conversation is in a private location. No different than bellowing your private information out on a public street.

It goes without saying that this may not be possible at a busy airport, but that is something which the Eurocrats failed to think about, along with much else.

Can't blame this one on BA.

No, BA could implement something like what EasyJet do. You enter your credentials separately before you actually get through to an agent. Thus, you are authenticated without having to speak.

Exactly. It's not just the people listening to your end of the call, it's the fact that the call centre agent also has far too many details about you. It should always be a password or secure code of some sort, and they should ask only certain digits, a system at their end should then confirm you are who you say. You should never have to give complete information to anyone verbally, it's immediately insecure.

I would respectfully suggest this is nonsense.
There are many ways of securely identifying the client which don't involve reading out all one's personal details in public. Where there is a will there is a way, but generally BA lacks the will.

This implementation is from a security standpoint absolutely horrible and against most recommendations. It means that the password are stored in clear-text/two-way encrypted, not a one way hash. Storing passwords this way leads to millions getting lost out there when there is a data breach. And most people are using the same passwords multiple times, and also reading the complete password back on the phone...

They only ask for information in your booking/account...

GDPR requires security/privacy by design and one such design can be that the agent are unable to access your account/booking only based on name and PNR. The design could be that the agent must enter the DOB to get access. In this way the system get more tamper resistant and avoid people from accessing information on their own. I don't think BA have implemented this, I guess the agents just get some pieces of information on their screen and are required to check it.

As for caller-id-verification as only source - this is easily spoofed. A one-way SMS with a code/token is a bit better.

But right now - yes, I think they are asking way to many questions for some issues like seat-changes...

Also if they had implemented a descent chat function a lot could have been resolved by letting people log in or enter information there before getting to an agent. Some airlines are using chat with huge success and one skilled agent can normally handle 4-5 customers in parallel.

I disagree. The principles of GDPR are sound and are arguably overdue. The way the regulations are interpreted is unfortunately down to individual companies, probably without sufficient guidance on how to be effective.

Therefore you get wildly different approaches to implementation and, working as I do as a consultant in the digital space with a number of clients, they all interpret it differently. I think BA has taken an ill-informed interpretation of the regulations and created a situation where there is holistically now even less data security for personal customer data than before. I don't believe for a second that their processes are "secure and robust", or that they have privacy by design in their DNA.

The same problem is encountered with BA on twitter.

'Please let us know how we can help. We'll need your account number, full name, your registered address, email address and your date of birth.'