When it comes to getting a customer service issue resolved as quickly as possible, publicly tweeting at a company can be quite effective. You’d certainly hope, however, that the company wouldn’t respond by publicly sharing your sensitive data—as Southwest Airlines recently did on Twitter.
Ars Technica first reported on the privacy violation experienced this week by Jackie Singh, the CEO of cybersecurity consulting firm Spyglass Security. Singh on Wednesday tweeted at the company about inappropriate commentary by a male flight attendant that allegedly included “jokingly enticing passengers to select seats in the rear [plane emoji] with offers of free beer, free liquor, ‘younger women,’ and random negative commentary about his ex-wife.”
In since-deleted tweets, Ars Technica reported, a Southwest Airlines representative identified as “Emilia” responded not only with a tweet that included Singh’s flight number, but with an additional tweet that claimed that flight numbers—which can reveal the location of a passenger—do not constitute personally identifiable information, or PII. Emilia further told Singh she was “welcome to reach out to us privately in the future if you do not wish to discuss your travel publicly,” according to Ars Technica.
Speaking with Gizmodo over Signal, Singh said that the incident forced her to hide in an airport bathroom near her security gate for 45 minutes after realizing she would need to exit security checkpoints “where someone could be waiting for me and I would have no way to protect myself from surveillance or worse.”
And it’s true, revealing someone’s location information could potentially endanger an individual for any number of reasons. In a Friday tweet, Singh wrote that she “had a very quick choice to make while on the aircraft, taxiing for takeoff—delete all my tweets referencing flying and contacting Southwest, and DM them privately asking them to remove their tweet with the flight #—or tell the world what they did and deal with the fallout.”
In a statement by email, a spokesperson for Southwest Airlines told Gizmodo it is not the company’s “policy to publicly share personally identifiable information about our Employees or our Customers” and that it had reached out to Singh “to express our apologies and regret over [Singh’s] disappointment.”
“The Safety and personal comfort of our Employees and Customers is always our top priority, and that includes protecting their right to privacy,” the spokesperson said. “Our Team is equipped to respond to Customer inquiries on social media and is trained on handling sensitive Customer data, and they are coached to proactively gather relevant information to understand our Customers’ need and quickly resolve their issue and provide an individualized and personal response.”
A curious element of this story is how or why a Southwest employee would be able to pull up Singh’s information using only a Twitter handle, which does not include Singh’s full name. Singh told Gizmodo she theorizes there are two primary ways the airline would have been able to glean her flight number solely from her Twitter profile and without her having yet privately reached out to the company.
The first is that her Twitter account is included in her personal Southwest profile, she said, which may be one way Emilia would have been able to pull up Singh’s flight itinerary, assuming representatives are able to access that information. The other could be with a confirmation number shared with the airline in private correspondence over Twitter regarding a positive experience Singh had with a different Southwest employee, screenshots of which were viewed by Gizmodo. Singh believes the first method is the more likely of the two.
When asked how Southwest Airlines identified Singh using only her account on Twitter, a spokesperson told Gizmodo it “cannot disclose information related to our internal processes.”
For her part, however—and certainly despite the fact that it is terrifying that a massive company with a robust social presence can access and publicly reveal the personally identifiable data of its customers—Singh said it’s better it happened to someone with a substantial and attentive following. (Singh has more than 15,000 followers on Twitter.)
“It was very upsetting—but couldn’t have happened to a better person to help bring light to it. I’m lucky to have an audience that cares,” she said. “Most people won’t have any recourse for this type of casual data abuse.”