A solo passenger on an Etihad flight has said a contractor for the airline used the company database to send her unsolicited personal messages.
The 23-year-old British woman, Hannah Smethurst, had travelled to Abu Dhabi to visit a friend and was at a gate at the airport, ready to board her return flight to Manchester, UK when the WhatsApp messages arrived. She published a screenshot of the exchange on Twitter.
“Heyyy, I have seen u from abudhabi,” said the first two messages, received in the early hours of the morning from a sender called Muhammed, who followed up with a blushing, smiley emoji.
Smethurst’s immediate response was to question how the sender accessed her number. The sender proceeded to say “Sorry” and then sent at least seven more messages, confessing they had searched for her in “the system”.
Applicable General Data Protection Regulations (GDPR) make it illegal to use a person’s personal data for any purpose other than fulfilling contractual, legal, vital interest or official obligations, and only then with consent.
After Smethurst made the incident public, a male twitter user attempted to equate the messages to official updates from the airline. Smethurst stated, “It was on his personal wattsapp [sic] with “hey” I don’t think it was official business.”
“Absolutely reported it, massive data breech [sic]. He has access to all my details including home address via the airline system it’s terrifying,” she added.
According to The Guardian, airline representatives at first brushed off Smethurst’s complaint. In a move that could be seen as inconveniencing or even having a chilling effect on a victim, they then followed up by “offering” to remove her from her flight home, so that she could report it to police.
Etihad staff at Manchester eventually took the incident more seriously, according to Smethurst. However, in another misstep, the airline asked Smethurst on Twitter to “private message” the company in order for them to investigate.
“She’s already reported it. You contact her and reassure her you’re taking it seriously,” responded another Twitter user.
Etihad later issued a statement saying it had launched a full investigation after speaking to Smethurst. It acknowledged there had been “inappropriate conduct” which it attributed to “an employee of a third-party contractor”.
“As a result of the investigation, the relevant employee involved has been disciplined in accordance with the contractor’s disciplinary procedures,” a spokesperson said. “The privacy and safety of our guests is our No 1 priority and we sincerely apologise for the distress caused to our guest.”
The penalty for GDPR violations can be up to 20 million euros (£17 million).