[haphap]

I just checked in online and received my boarding pass by email. When I clicked on the link it took me to a boarding pass except it wasn't mine! So I clicked on the link again and I got a different person's boarding pass, still not mine! So I did it again, and again and each time I get a different person's boarding pass! I took a few screenshots as proof.

Kinda creepy for me to be able to view other people's flight information and frequent flyer numbers etc. etc. especially on September 11th....

I called to request my actual boarding pass (which worked just fine) and tried warning the phone assistant of this error and my concern but he didn't seem to care.

Has this happened to anyone else?

[jimworcs]

If you are based in the EU, this would be a breach of the Data Protection Act and you should complain to your national Information and Data Processing Commission. However, I am not familiar with the equivalent in the US, so if you are based there, I don't know if there is any remedy available to you. In The UK, this type of breach could lead to a significant fine and an order to change their systems to prevent any recurrence.

[haphap]

I'm based in the US. Anyone know who the right "authorities" to inform would be?

[jimworcs]

Based on this Wikipedia extract, doesn't sound like there is an equivalent

Quote:

Comparison with US data protection law[edit source]

The United States prefers what it calls a 'sectoral' approach to data protection legislation, which relies on a combination of legislation, regulation, and self-regulation, rather than governmental regulation alone.[10] Former U.S. President Bill Clinton and former Vice-President Al Gore explicitly recommended in their "Framework for Global Electronic Commerce" that the private sector should lead, and companies should implement self-regulation in reaction to issues brought on by Internet technology.[11] To date, the US has no single data protection law comparable to the EU's Data Protection Directive.[12] Privacy legislation in the United States tends to be adopted on an ad hoc basis, with legislation arising when certain sectors and circumstances require (e.g., the Video Privacy Protection Act of 1988, the Cable Television Protection and Competition Act of 1992,[13] the Fair Credit Reporting Act, and the 2010 Massachusetts Data Privacy Regulations). Therefore, while certain sectors may already satisfy the EU Directive, at least in part, most do not.[14]
The reasoning behind this approach probably has as much to do with American laissez-faire economics as with different social perspectives. The First Amendment of the United States Constitution guarantees the right to free speech.[15] While free speech is an explicit right guaranteed by the United States Constitution, privacy is an implicit right guaranteed by the Constitution as interpreted by the United States Supreme Court,[16] although it is often an explicit right in many state constitutions.[17]
Extensive European privacy regulation is usually justified in Europe with reference to experiences under World War II-era fascist governments and post-War Communist regimes, and Europeans are said to be highly suspicious and fearful of unchecked use of personal information.[18] World War II and the post-War period was a time in Europe that disclosure of race or ethnicity led to secret denunciations and seizures that sent friends and neighbors to work camps and concentration camps.[5] In the age of computers, Europeans’ guardedness of secret government files has translated into a distrust of corporate databases, and governments in Europe took decided steps to protect personal information from abuses in the years following World War II.[19] Germany and France, in particular, set forth comprehensive data protection laws.[20] However, European privacy directives contain explicit exemptions for many governmental organizations, including the EU itself, national security, taxation, and policing, and would not have protected citizens against the abuses suffered at the hands of fascist or communist governments.