(update: we've had not one but two statements from BA. We've added them at the end)
BRITISH AIRWAYS has had a mare of a week. After a computer outage and a control tower fire at Heathrow, it's now has been discovered that the flag carrier's GDPR policy has been made by people who can't even spell GDPR.
The issue was discovered by a security researcher who noticed that BA was telling customers that "in order to comply with GDPR" they needed to post their personal information publicly if using Twitter for customer service.
This included names, booking references, passport numbers, dates of birth and full addresses.
Rumours that PIN numbers and a list of phobias were also requested turned out to be made up by us, just now. Funny, though.
Mustafa al-Bassam, an Anonymous alumni, spotted the problems during a trip to Barcelona, ironically to attend a security conference.
BA later changed policy and asked for people to send Direct (private) Messages. But that's basically like sticking Elastoplasts to a severed leg - and it's not even the half of it.
The original problem came when British Airways' website refused to let al-Bassam check-in for his flight until he turned off his adblocker.
This means that anyone checking in risks their data being leaked silently to any company that has tracking cookies in their site.
Using the Chrome developer console, he was able to show data being leaked to Twitter, LinkedIn and Doubleclick.
Under GDPR, this is illegal as full consent is required for any data collection - not implied consent - actual ruddy consent.
In a complaint letter, he warned that British Airways had 30 days to avoid being raised with the UK Information Commissioner. You can read the whole thing here, as he's kindly posted it on GitHub but here's a choice paragraph:
"Article 7 of GDPR states: 'if the data subject's consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language'. I do not recall being requested for consent for you to share my data with third parties in a clearly distinguishable way."
British Airways is yet to comment on the matter, but it's worth pointing out that GDPR carries a heavy fine for each infraction, and there are dozens on Twitter already.
BA Statements received late on Friday argue a plea that the exception proves the rules in terms of policy:
"We take our responsibility to protect our customers' details very seriously.
"We'd never ask customers to send personal information publicly. When a genuine error is made, we will always go back to the customer to clarify this.
"Our social media colleagues look after around 2,000 enquiries a day, and like all customer service teams, we are always careful to confirm that we are talking to the right person before making any changes to their booking.
"We are transparent with customers about our cookie terms and conditions, and always ask them to review the details before choosing whether to accept or opt out."
It's worth reminding you on that last bit - if you've not bothered to read the terms and conditions and just clicked "accept" or "agree" or "yes", then there's not a lot you can do to argue. μ
A surprisingly busy week in a quiet month
Measures just 15.75mm at its thickest point
Firm expects GPU sales to start drying up