Blick reader Christina Ueberschlag (48) contacted Swiss a few days ago. She asked on Twitter if the Air Baltic flight would be used on a flight from Zurich via Munich to Bari. This operates flights on behalf of Switzerland. He received the answer not in a private message from a Swiss employee, but publicly via Twitter. And the tweet had his booking code!
Surname and reservation code are sufficient to access an existing reservation. This can be changed or canceled later. Ueberschlag is talking about a serious data protection breach.
When asked by Blick, Swiss spokesperson Michael Pelzer explained that only a few pieces of data are available, along with the first and last name and the reservation code: the contact information stored for sending the boarding pass after online check-in, and any frequent flyer numbers. On the other hand, personal data such as home address, date of birth or payment details are not visible. “Access to any swiss.com or Miles & More profile is never possible,” says Pelzer.
Hesitant Swiss response
A small consolation for tipping. ‘The news came at one o’clock in the morning; I didn’t see them until hours later,” explains the frequently traveling market researcher. When he informed Swiss about this unacceptable release of reservation data, he was first informed that he could delete the listing himself, with a succinct apology. nothing happened.
Theoretically, someone with the booking code and its name, both of which appeared on Twitter, could capture their reservation and book a flight to Buenos Aires or elsewhere at their own expense and send it to their own email address. Fortunately that didn’t happen.
In the meantime, however, the Ueberschlag was contacted. Swiss declares that the reservation reference and the associated ticket number have been deleted in the meantime. Christina Ueberschlag confirms that she got a new data record after looking at the app. Access to the original reservation is therefore no longer possible.
How can this be?
It is actually clear that reservation codes, ticket numbers, personal data and QR codes should never be published on public platforms. It’s hard to explain how this could still happen. Ueberschlag, “Did a trainee tweet there?” he asks.
Swiss does not want to go into such details and internal processes. However, the airline clarifies that there are binding processes to protect passenger data. “In the present case, this process was not immediately triggered, and it upsets us a lot,” says Pelzer. This is a sad isolated case that “shouldn’t be like this”.