Go Back  FlyerTalk Forums > Miles&Points > Airlines and Mileage Programs > British Airways | Executive Club
Reload this Page >

Personal Information - new procedure making my information less secure!

Personal Information - new procedure making my information less secure!

Reply

Old Aug 10, 18, 12:49 pm
  #1  
Original Poster
 
Join Date: Jun 2005
Location: KDEN
Programs: UA GS, AA EXP, BA GGL
Posts: 101
Personal Information - new procedure making my information less secure!

Curious to know how others have dealt with this issue...

Since the beginning of this year when BA changed their personal information policy to adapt to the new GDPR requirements, I have had numerous instances where I've needed to contact the GGL line to make an urgent change to my booking. Usually this occurs during IRROPS and I'm sitting in a crowded lounge, terminal, train, or terminal transfer bus. With the new policy, I now have to read out almost all my personal details (BAEC #, name, home address, DOB, email address) in order to have any sort of discussion about the real content of my call. Anyone within earshot (or with an iPhone) could just jot all this down and call back with complete access to my account.

I realize that BA is indeed trying to protect us (and themselves), but I truly feel that I am now more exposed - and I might as well just post this all on a signboard for everyone to see. For me, this makes calling the GGL line any time I'm not sitting in a completely private space a very risky endeavour.

No other travel vendor I deal with (airline, hotel, rental car company) asks for this level of detail. They all have a password, a PIN, security questions, and/or can match the incoming caller ID with my profile as a first step in the process.

I think BA really needs to step back and reevaluate this process so we can all be more secure!

Have others had this same experience?
Dave_C, dylanks and Tobias-UK like this.
BE-58 is offline  
Reply With Quote
Old Aug 10, 18, 12:54 pm
  #2  
 
Join Date: Jul 2005
Location: London, CPH, ARN or HEL
Programs: Mucci Silver for life, BA GGL, HH Diamond, Radisson Gold !!, Hertz Gold PC
Posts: 3,974
Absolutely. It's a mess and is a completely back-to-front / inverse interpretation of GDPR. There have been other threads on this recently and I think I read a story that a guy who works in information security has raised a complaint to the ICO..

Here's another thread... BA/GDPR/Advertising/Checkin etc etc
ThatT1Feeling is offline  
Reply With Quote
Old Aug 10, 18, 1:03 pm
  #3  
 
Join Date: Jun 2018
Programs: BA Executive Club
Posts: 3
It's utter madness. I banked with First Direct for quite a long time and the phone banking was excellent - you had to set a password with them and they asked you "can you give me letter 4 and 7 from the password please" - which was much more secure.
I have been known at the end of all the nonsense you have to go through with BA to say "and my inside leg measurement is 32"
There MUST be a better way!
RichardLondon is offline  
Reply With Quote
Old Aug 10, 18, 4:15 pm
  #4  
 
Join Date: Jun 2009
Location: UK
Programs: Lemonia. Best Greek ever.
Posts: 1,275
When I complained about their disregard of GDPR, - they sent our APIS data to us via open e-mails.

here is their reply........

It shows they could not care less...............


Thank you for your mail. My apologies for not responding earlier, we were in the process of investigating this issue. From reviewing the series of events, we have been able to identify how the incident occurred. As you correctly stated in your email, both you and your wife’s APIS data should not have been sent by unencrypted email. I have involved the relevant departments to review and amend their processes with reference to the General Data Protection Regulation – GDPR. (UK Data Protection Act 2018). Even though this unfortunate event has occurred with your booking information – APIS details. I can assure you that British Airways processes are secure and robust. We take protection of personal data very seriously. Thank you for informing us about this issue, I would like to apologise for this data incident and recognise the inconvenience that this has caused you.


"Secure and robust"........????
Ancient Observer is offline  
Reply With Quote
Old Aug 10, 18, 5:23 pm
  #5  
FlyerTalk Evangelist
 
Join Date: Aug 2010
Location: DCA
Programs: UA US CO AA DL FL
Posts: 37,829
Originally Posted by BE-58 View Post
Curious to know how others have dealt with this issue...

Since the beginning of this year when BA changed their personal information policy to adapt to the new GDPR requirements, I have had numerous instances where I've needed to contact the GGL line to make an urgent change to my booking. Usually this occurs during IRROPS and I'm sitting in a crowded lounge, terminal, train, or terminal transfer bus. With the new policy, I now have to read out almost all my personal details (BAEC #, name, home address, DOB, email address) in order to have any sort of discussion about the real content of my call. Anyone within earshot (or with an iPhone) could just jot all this down and call back with complete access to my account.

I realize that BA is indeed trying to protect us (and themselves), but I truly feel that I am now more exposed - and I might as well just post this all on a signboard for everyone to see. For me, this makes calling the GGL line any time I'm not sitting in a completely private space a very risky endeavour.

No other travel vendor I deal with (airline, hotel, rental car company) asks for this level of detail. They all have a password, a PIN, security questions, and/or can match the incoming caller ID with my profile as a first step in the process.

I think BA really needs to step back and reevaluate this process so we can all be more secure!

Have others had this same experience?
As to voice communications, it is far from ludicrous. It is the natural consequence of GDPR and the mindset which it has created.

If you choose voice communications to communicate, you must take care to assure that your end of the conversation is in a private location. No different than bellowing your private information out on a public street.

It goes without saying that this may not be possible at a busy airport, but that is something which the Eurocrats failed to think about, along with much else.

Can't blame this one on BA.
Often1 is offline  
Reply With Quote
Old Aug 10, 18, 5:37 pm
  #6  
Ambassador: Emirates Airlines
 
Join Date: Sep 2004
Location: Manchester, UK
Posts: 12,777
Originally Posted by Often1 View Post
As to voice communications, it is far from ludicrous. It is the natural consequence of GDPR and the mindset which it has created.

If you choose voice communications to communicate, you must take care to assure that your end of the conversation is in a private location. No different than bellowing your private information out on a public street.

It goes without saying that this may not be possible at a busy airport, but that is something which the Eurocrats failed to think about, along with much else.

Can't blame this one on BA.
No, BA could implement something like what EasyJet do. You enter your credentials separately before you actually get through to an agent. Thus, you are authenticated without having to speak.
DYKWIA is online now  
Reply With Quote
Old Aug 10, 18, 5:42 pm
  #7  
 
Join Date: Jan 2008
Location: LCY/DUB
Posts: 2,727
Originally Posted by Often1 View Post
As to voice communications, it is far from ludicrous. It is the natural consequence of GDPR and the mindset which it has created.

If you choose voice communications to communicate, you must take care to assure that your end of the conversation is in a private location. No different than bellowing your private information out on a public street.

It goes without saying that this may not be possible at a busy airport, but that is something which the Eurocrats failed to think about, along with much else.

Can't blame this one on BA.
This is patently incorrect, as stated above other companies manage to deal with voice calls in a more risk sensitive manner.

But don’t let the truth get in the way of your Brexiteer narrative eh?
lukew, csutter, rickg523 and 2 others like this.
Kgmm77 is offline  
Reply With Quote
Old Aug 10, 18, 5:46 pm
  #8  
 
Join Date: Nov 2015
Location: London
Programs: BA Gold
Posts: 730
Originally Posted by DYKWIA View Post
No, BA could implement something like what EasyJet do. You enter your credentials separately before you actually get through to an agent. Thus, you are authenticated without having to speak.
Exactly. It's not just the people listening to your end of the call, it's the fact that the call centre agent also has far too many details about you. It should always be a password or secure code of some sort, and they should ask only certain digits, a system at their end should then confirm you are who you say. You should never have to give complete information to anyone verbally, it's immediately insecure.
dougzz is offline  
Reply With Quote
Old Aug 11, 18, 12:19 am
  #9  
 
Join Date: May 2013
Posts: 5,931
Originally Posted by Often1 View Post
As to voice communications, it is far from ludicrous. It is the natural consequence of GDPR and the mindset which it has created.

If you choose voice communications to communicate, you must take care to assure that your end of the conversation is in a private location. No different than bellowing your private information out on a public street.

It goes without saying that this may not be possible at a busy airport, but that is something which the Eurocrats failed to think about, along with much else.

Can't blame this one on BA.
I would respectfully suggest this is nonsense.
There are many ways of securely identifying the client which don't involve reading out all one's personal details in public. Where there is a will there is a way, but generally BA lacks the will.
simons1 is offline  
Reply With Quote
Old Aug 11, 18, 12:35 am
  #10  
 
Join Date: Aug 2014
Posts: 1,363
Originally Posted by dougzz View Post
Exactly. It's not just the people listening to your end of the call, it's the fact that the call centre agent also has far too many details about you. It should always be a password or secure code of some sort, and they should ask only certain digits, a system at their end should then confirm you are who you say. You should never have to give complete information to anyone verbally, it's immediately insecure.
The contact centre agent has too many details about you?! Odd comment given that it is information we would see on the account anyway!
Anonba is offline  
Reply With Quote
Old Aug 11, 18, 1:05 am
  #11  
 
Join Date: Jan 2013
Location: London, UK
Programs: BA GGL, A3 Gold, FlyingBlue Gold, AS MVP Gold, Hilton Diamond, IHG Spire Amb, Accor Gold
Posts: 531
Well, this gets worse. Have you tried emailing GGL team about anything lately? It used to suffice giving your BAEC number, but now you have to include your full name, date of birth and mailing address before they can assist in seat change for instance. Absolute bonkers and as frustrating for them as it is for us.
ThatT1Feeling likes this.
wmaciej is offline  
Reply With Quote
Old Aug 11, 18, 3:24 am
  #12  
 
Join Date: Jun 2008
Location: Oslo, Norway
Posts: 481
Originally Posted by RichardLondon View Post
It's utter madness. I banked with First Direct for quite a long time and the phone banking was excellent - you had to set a password with them and they asked you "can you give me letter 4 and 7 from the password please" - which was much more secure.
This implementation is from a security standpoint absolutely horrible and against most recommendations. It means that the password are stored in clear-text/two-way encrypted, not a one way hash. Storing passwords this way leads to millions getting lost out there when there is a data breach. And most people are using the same passwords multiple times, and also reading the complete password back on the phone...

Originally Posted by dougzz View Post
Exactly. It's not just the people listening to your end of the call, it's the fact that the call centre agent also has far too many details about you.
They only ask for information in your booking/account...

GDPR requires security/privacy by design and one such design can be that the agent are unable to access your account/booking only based on name and PNR. The design could be that the agent must enter the DOB to get access. In this way the system get more tamper resistant and avoid people from accessing information on their own. I don't think BA have implemented this, I guess the agents just get some pieces of information on their screen and are required to check it.

As for caller-id-verification as only source - this is easily spoofed. A one-way SMS with a code/token is a bit better.

But right now - yes, I think they are asking way to many questions for some issues like seat-changes...

Also if they had implemented a descent chat function a lot could have been resolved by letting people log in or enter information there before getting to an agent. Some airlines are using chat with huge success and one skilled agent can normally handle 4-5 customers in parallel.
Discus is offline  
Reply With Quote
Old Aug 11, 18, 3:34 am
  #13  
 
Join Date: Jul 2005
Location: London, CPH, ARN or HEL
Programs: Mucci Silver for life, BA GGL, HH Diamond, Radisson Gold !!, Hertz Gold PC
Posts: 3,974
Originally Posted by Often1 View Post
As to voice communications, it is far from ludicrous. It is the natural consequence of GDPR and the mindset which it has created.

If you choose voice communications to communicate, you must take care to assure that your end of the conversation is in a private location. No different than bellowing your private information out on a public street.

It goes without saying that this may not be possible at a busy airport, but that is something which the Eurocrats failed to think about, along with much else.

Can't blame this one on BA.
I disagree. The principles of GDPR are sound and are arguably overdue. The way the regulations are interpreted is unfortunately down to individual companies, probably without sufficient guidance on how to be effective.

Therefore you get wildly different approaches to implementation and, working as I do as a consultant in the digital space with a number of clients, they all interpret it differently. I think BA has taken an ill-informed interpretation of the regulations and created a situation where there is holistically now even less data security for personal customer data than before. I don't believe for a second that their processes are "secure and robust", or that they have privacy by design in their DNA.
lukew likes this.
ThatT1Feeling is offline  
Reply With Quote
Old Aug 11, 18, 4:28 am
  #14  
 
Join Date: Mar 2018
Posts: 215
The same problem is encountered with BA on twitter.

'Please let us know how we can help. We'll need your account number, full name, your registered address, email address and your date of birth.'
Lizie is offline  
Reply With Quote
Old Aug 11, 18, 4:57 am
  #15  
 
Join Date: Sep 2013
Programs: BAEC Gold, EK Skywards (enhanced Blue !), Oman Air Sindbad Gold
Posts: 4,320
Originally Posted by Lizie View Post
The same problem is encountered with BA on twitter.

'Please let us know how we can help. We'll need your account number, full name, your registered address, email address and your date of birth.'
And - as one joker tweeted back to BA - “Would you like me to send my PIN too ?”
BE-58, ThatT1Feeling and Lizie like this.
subject2load is offline  
Reply With Quote

Thread Tools
Search this Thread
 
  • Ask a Question
    Get answers from community experts
Question Title:
Description:
Your question will be posted in: