The new GDPR regulations were enforced to restrict companies from collecting and utilizing user data without their consent, and even though it’s implementation had a rocky start, some companies are clearly messing things up. One such name is British Airways, which recently asked flyers to publicly share their personal information on Twitter.
A security researcher named Mustafa Al-Bassam recently spotted the airline service’s blunder when he discovered that the official British Airways’ Twitter handle asked users to share information such as passport numbers and full address to address customer service claims.
The intention might appear to be benevolent in nature, but what is the most baffling aspect of the request is that British Airways asked users to share their details via a tweet, which means all followers of the airline service’s account can see the personal details of users who complied with the request. Even more ironical is the fact that British Airways asked for all that information in the name of GDPR compliance, which was enforced in the first place to safeguard the privacy of users.
The personal information asked for by the airline service included the flyer’s full name, booking reference, passport number and its expiry date, last 4 digits of the payment card, billing address, postal code and email address among others. What’s more, some users even replied to British Airways’ request and provided the necessary information via a tweet.
People started taking the piss out of British Airways by also asking for their customers' personal details, so they had to add an addendum 6 hours later to clarify that the customer should send the info over DM. pic.twitter.com/R6J74wZq4d
— Mustafa Al-Bassam (@musalbas) July 17, 2018
It was only after some public outrage that the British Airways realized the gaffe and started informing users that they can send the required personal information via a DM, and not publicly through a tweet where it can be seen by all followers of the account..