British Airways was found to be breaching the European Union’s new General Data Protection Regulation (GDPR) last week after a security researcher discovered that the airline’s social media team was requesting that customers post their personal details publicly on Twitter if they wished to have their complaints addressed.
The security researcher who discovered the GDPR breach, Mr Mustafa Al-Bassam, saw that British Airways required their customers post personal detail in order to ‘comply with GDPR’.
He also found that British Airways has been employing the use of tracking cookies in a web browser to gather personal information which it then shares with third-party websites. Additionally, online check-in was only being permitted when Ad-blocker software was disable on a passenger’s internet browser. Via his Twitter account he said: “The plot thickens. British_Airways only lets you check-in online after you disable your adblocker, so that they can leak your booking details to tons of third party advertisers and trackers, including Twitter, LinkedIn and Google DoubleClick.”
Responding to the GDPR breach British Airways referred to its policy for customer correspondence on social media: “We take our responsibility to protect our customers’ details very seriously. We’d never ask customers to send personal information publicly. When a genuine error is made, we will always go back to the customer to clarify this. Our social media colleagues look after around 2,000 inquiries a day, and like all customer service teams we are always careful to confirm that we are talking to the right person before making any changes to their booking.”
This may prove to be an even bigger issue for British Airways if it fails to address the errors as any group or company is breaching GDPR it faces a £20m fine or 4% of annual global revenue, whichever figure is higher.