If what was said upthread that BA has been successfully targeted recently by data breaches (as part of organised fraud) is correct, then with GDPR impending (and the new punitive turnover based sanctions that come with it) then what the CSR said may not be far from the truth. After all, they are unlikely to be data protection regulation experts.

The responsibility lies with BA to ensure that our data is looked after and can be accessed by the correct parties when their authority and identities are proven. This isn't in question and doesn't need to be. The fact that BA has been inadequate in providing this mechanism has been glossed over, but it doesn't stop this basic requirement. Blaming the government for not being able to cover the basics (without direction) would to many people seem outrageous.

Please don't try to re-write the facts to make your argument less feeble. Read post no.7, in which OP clearly protests against the need to provide his passport expiry date, as well as the reason given for demanding it.

Do you have proof BA is to blame when member accounts get hacked and not the members themselves?

I don't need proof.

Your question is irrelevant firstly to anything I've written and secondly to the thread.

Perhaps I was not clear enough: I called and said I would like to upgrade a flight in my name using avios from my account.

1. A "mistake" would be a reasonably held view. It became obvious he did not hold that view but had simply made it up.
2. It is a change to security protocols. I am not sure anyone is disputing that.
3. I made the point that BAEC members should have been notified of the change. Interesting that they did see the need to notify some but not all of those likely to be affected

I love the irony of somebody who flies extremely infrequently with BA sitting down to change passport details and in the same paragraph lecturing about lif is too short😀

My point was twofold - don't lie to me and tell me in advance if you are changing your protocols (even if members using UUA on their own bookings is hardly a cause of fraud)

Not far from the truth? Is it too much to expect "the truth"?


It amazes me how this forum can take the simplest valid criticism and turn it upside down and inside out to try to justify the unjustifiable.

Ahbutters who can't possibly know as they weren't there. And repeat.

What does the OP say. That is what we are debating. Not a post half way through made after the usual suspects have appeared.

Anyhow I see the OP has clarified for you.

Indeed what did I say even including post #7 ?

Me too. I used to keep a copy in an email to myself, but now have a scan stored as a note in LastPass as well as the data written into the note.

I am intrigued to learn that this just started Sept 1. I called in September and, half way through a phone call with a staff member on the GGL line, she stopped what she was doing and asked me for my passport number and expiry date. It *appeared* to me that she was at that point looking for any excuse not to assist. I asked why, and she said it "was standard data protection rules" and that it's "how it's always been."

I'm glad to see that indeed she wasn't just being difficult, and that maybe it wasn't as it appeared at the time. Although it would seem she was fudging it a bit by claiming that's how it's always been.

Having a BA profile loaded with a memorable but made-up "passport" number and expiration date is not beyond the realm of the possible. Plenty of BAEC members don't have actual, state-recognized passports to provide BA, let alone anyone else.

Loyalty program operators need to up their account security game, for their own sake and that of the customers. But some measures taken in the name of security are akin to allocating resources that win a battle but cost the war, all while setting up a situation where there will be lots of collateral damage. Equifax is a case in point.

Welcome to getting a crash course in "BA can do little/no wrong" -- that kind of stuff is expected around these parts.

This is causing me a small amount of hassle with domestic bookings that our corporate TA makes, but doesn't pass the passport number across on. It seems that the API part of MMB is not offered for domestics, so I can't add it there either. If a POUG is then offered it seems because of the TA origin there is a to need a call to BA, but they can't then get me past security checks.

I haven't worked out yet whether the passport number not being sent is a policy on domestic bookings, or whether some of the data they are holding is incomplete.

It's not always clear cut. A lot of legislation is 'outcomes focused', ie having 'policies and procedures' in place or ensuring x 'so far as is reasonably practicable'. The legislation doesn't say "airline call centre agents must verify the passport expiry date of each customer when seeking to use frequent flier miles to upgrade travel trade bookings"! BA's procedure is no doubt a response to findings from things like internal compliance audits, and is a policy brought in to meet legal requirements. Obviously there's an element of what is commercially appropriate too which is a judgment call. So, in those circumstances, is it wrong to say it's a measure introduced for 'legal' reasons? I don't think it is. It's a form of shorthand.

Is the information in Personal Information in My Executive Club lining up with the information you are are providing?

You cant add APIS for domestics so the agent should ask alternate security questions as it isnt possible to add.