Technology, Top News

British Airways GDPR fail exposes customer data as its worst week continues

BRITISH AIRWAYS has had a mare of a week. After a computer outage and a control tower fire at Heathrow, it’s now has been discovered that the flag carrier’s GDPR policy has been made by people who can’t even spell GDPR.

The issue was discovered by a security researcher who noticed that BA was telling customers that “in order to comply with GDPR” they needed to post their personal information publicly if using Twitter for customer service.

This included names, booking references, passport numbers, dates of birth and full addresses.

Rumours that PIN numbers and a list of phobias were also requested turned out to be made up by us, just now. Funny, though.

Mustafa al-Bassam, an Anonymous alumni, spotted the problems during a trip to Barcelona, ironically to attend a security conference.

BA later changed policy and asked for people to send Direct (private) Messages. But that’s basically like sticking Elastoplasts to a severed leg – and it’s not even the half of it.

The original problem came when British Airways’ website refused to let al-Bassam check-in for his flight until he turned off his adblocker.

This means that anyone checking in risks their data being leaked silently to any company that has tracking cookies in their site.

Using the Chrome developer console, he was able to show data being leaked to Twitter, LinkedIn and Doubleclick.

Under GDPR, this is illegal as full consent is required for any data collection – not implied consent – actual ruddy consent.

In a complaint letter, he warned that British Airways had 30 days to avoid being raised with the UK Information Commissioner. You can read the whole thing here, as he’s kindly posted it on GitHub but here’s a choice paragraph:

“Note that even though your privacy policy states that you may share my personal information with third-party advertising agencies, you must still ask for consent explicitly.

“Article 7 of GDPR states: ‘if the data subject’s consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language’. I do not recall being requested for consent for you to share my data with third parties in a clearly distinguishable way.”

British Airways is yet to comment on the matter, but it’s worth pointing out that GDPR carries a heavy fine for each infraction, and there are dozens on Twitter already. μ

Further reading

Source : Inquirer

Previous ArticleNext Article
Founder and Editor-in-Chief of 'Professional Hackers India'. Technology Evangelist, Security Analyst, Cyber Security Expert, PHP Developer and Part time hacker.

Send this to a friend