Whoever's manning the BA social media accounts really needs to do a serious hour of in-house security training, as the firm has been discovered asking travellers to reply – publicly, on Twitter – with their names, passport numbers, post codes and more, in order to "comply with GDPR" in some bizarre way.
The case was discovered when a disgruntled traveller complained to the airline's social media team, as you do, after a nightmare air trip that failed to get off the ground after a four-hour delay and cancellation. He was probably hoping for a money-off voucher or an invite into the cockpit to wink at the captain on his next flight as compensation, but what he got was a message asking for masses of personal details before anyone would even banter with him or exchange animated GIFs.
BA replied with: "To comply with GDPR, please confirm your full name and booking reference. We also need 2 of the following: passport number & expiry date, the last four digits of the payment card, billing address & post code, email address."
That's... everything. A complete ID theft kit that BA's asking its customers to post publicly. May as well have asked for high-res macro photography of the poor man's fingerprints, a DNA swab and as large a sample of semen as he could produce at short notice.
BA later amended its data demand message to say that perhaps it might be better to DM it to social media staff, but it's still possible to find lots of people's personal data by trudging through public replies. Some BA staff are going to be having a meeting about this later today, we should think. [Twitter via Techcrunch]