Security researcher Mustafa Al-Bassam discovered that the airline’s social media team demanded customers post a trove of personal information publicly on Twitter. This was supposed to help investigate customer service claims. The information they wanted included passport numbers, full addresses, and other sensitive personal information. The airline kept insisting this was to “comply with GDPR”.
Some users complained about the airline’s bizarrely-worded request. Therefore, British Airways began altering its replies to say that customers should send a direct message to them instead.
LEARNING TIP: Have proper company guidelines and regular staff trainings on data
protection matters to keep your staff informed and updated.