American Airlines Accidentally Prompts Frequent Flyers to Leak Their Own Data

Dec 22, 2018

This post contains references to products from one or more of our advertisers. We may receive compensation when you click on links to those products. Terms apply to the offers listed on this page. For an explanation of our Advertising Policy, visit this page.

You’d think that the world’s largest airline would be very cautious about not sharing its most important customers’ personal and frequent flyer account information. But, this is exactly the situation that American Airlines faced this week when it sent out “your year in review” emails to its frequent flyers. And reviews are mixed in how the airline is handling the situation.

Here’s what happened: On Thursday evening, American Airlines sent its elite flyers an email with their flying stats so far in 2018. The extended graphic had fascinating facts like number of hours in the sky, number of destinations visited, longest flight, aircraft flown the most, bag fees saved and number of upgrades received.

Those are some fun stats that would otherwise take a lot of record-keeping for flyers to figure out themselves. And there’s no issue with flyers sharing this information. However, the problem was with the social sharing buttons at the bottom of the email.

Flyers were prompted to “Share your travel #2018from30kfeet” with links to share this infographic on Facebook and Twitter. But, the information didn’t just include the flyer’s stats — but also included the frequent flyer number and email address associated with the account.

Within a couple of hours, the TPG tips email lit up with reports about the issue. It seems that American Airlines caught the issue fairly quickly, as the Facebook and Twitter sharing links in my email were broken by the time I looked into the situation that evening.

Mistakes happen, but the true test of a company’s customer service is how they handle the follow-up after a mistake. On Friday afternoon, TPG contributor Patrick Fallon reported receiving a follow-up email from American Airlines’ Chief Privacy Officer Russell Hubbard, admitting the mistake. Referring to the year-end summary email, AA is forthright about what was accidentally shared:

At the time the email was sent, those links inadvertently included your AAdvantage number and email address associated with your AAdvantage account. If you shared the link on Facebook or Twitter, that information was made visible to those with access to your social media post. We quickly corrected the issue, however, our records show you may have posted the link before we caught the error thereby exposing your AAdvantage number and email address.

The email recommended those who posted their infographic remove the social media post and “actively monitor your [AAdvantage] account and let us know if you observe and suspicious activity.” Later, Patrick received a follow-up phone call from American Airlines apologizing for the error.

But, it seems that apologizing is all that the airline is going to do: American Airlines replied to TPG reader Christoph Trappe on Twitter saying that the airline isn’t offering bonus miles for the mistake, but is offering to change the frequent flyer’s number if they’re concerned:

In a blog post about the situation, Christoph shared that he too received an email and a follow-up phone call. Although concluding that “the follow up wasn’t bad,” he points out that the email and phone call weren’t until 18 hours after he’d accidentally posted the infographic. If he hadn’t noticed the error and immediately removed the post, this would have been a very long time for his information to have been shared.

For frequent flyers like Patrick who noticed the error before posting to social media, I can see the airline’s argument for not granting miles. In Christoph’s case, his information was indeed leaked — if even for a moment — so a token mileage bonus seems justified. Hopefully any flyers that were seriously affected by this leak will get commensurate mileage compensation and prompt attention to rectifying the impact.

The takeaway for TPG readers: be careful what you share on social media. Theft of loyalty program points and miles are a lot more common than one might think. It’s never a good idea to post your boarding pass. If you must show off that first class ticket, make sure to black out the barcode, ticket number, reservation number, frequent flyer number and any other personal information on the boarding pass. It’s surprisingly easy for someone to wreck your trip with this information.

If you were one of the American Airlines flyers who accidentally posted your personal information, know that you have the option to change your frequent flyer number. And since two of the three pieces of information that are needed to log into your account would be known (frequent flyer number and last name), you probably want to change your AA password to be safe.

Featured image by Luis Alvarez via Getty Images

Delta SkyMiles® Platinum American Express Card

Earn 90,000 bonus miles after you spend $3,000 in purchases within the first three months of card membership. Plus, earn a $200 statement credit after your first Delta purchase within the first three months. Offer ends 7/28/21.

With Status Boost™, earn 10,000 Medallion Qualification Miles (MQMs) after you spend $25,000 in purchases on your Card in a calendar year, up to two times per year getting you closer to Medallion Status. Earn 3X Miles on Delta purchases and purchases made directly with hotels, 2X Miles at restaurants and at U.S. supermarkets and earn 1X Mile on all other eligible purchases. Terms Apply.

Apply Now
More Things to Know
  • Limited Time Offer: Earn 90,000 Bonus Miles after spending $3,000 in purchases on your new Card in your first 3 months and a $200 statement credit after you make a Delta purchase with your new Card within your first 3 months. Offer expires 7/28/2021.
  • Limited Time Offer: Plus, get a 0% intro APR on purchases for 12 months from the date of account opening, then a variable 15.74%-24.74%. Offer expires 7/28/2021.
  • Accelerate your path to Medallion Status, with Status Boost®. Plus, in 2021 you can earn even more bonus Medallion® Qualification Miles (MQMs) to help you reach Medallion Status.
  • Earn 3X Miles on Delta purchases and purchases made directly with hotels.
  • Earn 2X Miles at restaurants worldwide, including takeout and delivery and at U.S. supermarkets.
  • Receive a Domestic Main Cabin round-trip companion certificate each year upon renewal of your Card. *Payment of the government imposed taxes and fees of no more than $75 for roundtrip domestic flights (for itineraries with up to four flight segments) is required. Baggage charges and other restrictions apply. See terms and conditions for details.
  • Enjoy your first checked bag free on Delta flights.
  • Fee Credit for Global Entry or TSA Pre✓®.
  • Enjoy an exclusive rate of $39 per person per visit to enter the Delta Sky Club® for you and up to two guests when traveling on a Delta flight.
  • No Foreign Transaction Fees.
  • $250 Annual Fee.
  • Terms Apply.
  • See Rates & Fees
Intro APR on Purchases
0% on purchases for 12 months
Regular APR
15.74%-24.74% Variable
Annual Fee
$250
Balance Transfer Fee
N/A
Recommended Credit
Excellent/Good
Terms and restrictions apply. See rates & fees.

Editorial Disclaimer: Opinions expressed here are the author’s alone, not those of any bank, credit card issuer, airlines or hotel chain, and have not been reviewed, approved or otherwise endorsed by any of these entities.

Disclaimer: The responses below are not provided or commissioned by the bank advertiser. Responses have not been reviewed, approved or otherwise endorsed by the bank advertiser. It is not the bank advertiser’s responsibility to ensure all posts and/or questions are answered.