Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

Lastminute.com booking glitch and breach of data protection help?

  • 08-02-2017 3:13pm
    #1
    Registered Users, Registered Users 2 Posts: 10


    Hi -- sorry brace yourselves, this is going to be long but I need to explain the situation in full.

    I was booking flights from Dublin to Bali for next July with lastminute.com (UK online company) last Friday evening, Feb 3rd. Two of my friends were also booking the same flights (but we were booking separately on our own laptops, in our own homes). When I was booking my own with my visa debit the website glitched after I put in my verified by visa code and brought me back to the checkout page. I checked my online banking and the money for the flights was under "pending".

    One of my friends who was booking at the same time put in all her own information, her own verified by visa code and was brought to the processing page where she was given a booking ID -- but under this information, where it should have listed my friends contact details, it listed mine -- on her computer. She checked her online banking and the money for the flights was also under "pending". I received a booking confirmation via email (which only listed my name, email and mobile no -- there was no mention of payment details), my friend didn't receive anything. She called customer services and they said they had no record of her booking details and that her booking ID belonged to me (citing my name and my email -- surely a breach of data protection?) and that I would need to call to explain.

    When I called they confirmed my booking but refused to confirm whether or not it was my card that was connected to the booking ID under my name citing data protection. The only information they could give me was my email, mobile number and flight details -- all of which had appeared on my friend's computer during her booking -- they also wouldn't transfer me to someone who could give me this information so I requested a full refund.

    We've both been in contact with our bank's card services and they've given us approval codes that lastminute.com would be able to use to trace our bookings but the company is sending us round in circles. I've been told that they will refund me and that it is being processed to the card used in the transaction (in 5-15 working days), but I do not know if that is my visa debit card or my friend's. The money is still listed under "pending" in both of our accounts. Tbqh I don't know what I should do? How long should I wait for the refund to appear back in my account?

    My other friend who booked obviously doesn't want to go anymore either after all this hassle but the lastminute are only offering her a refund of €25 (when we paid €770) citing the airlines policies. My friend has been on to the individual airlines involved and they have all said she can get a refund with a small penalty fee. Lastminute have been so unclear and difficult to deal with, is there anything she can do?

    Kind regards, H


Comments

  • Registered Users, Registered Users 2 Posts: 71,186 ✭✭✭✭L1011


    The information leak should be informed to the Data Protection Commissioners - Lastminute should do the same to the ICO in the UK once you have informed them and could be heavily fined for not doing so. Pending but uncompleted payments on a debit card usually take 10 working days to lapse.

    The third friend doesn't have a case for a full refund here.


  • Moderators, Technology & Internet Moderators, Regional South East Moderators Posts: 28,536 Mod ✭✭✭✭Cabaal


    So you're suggesting data supplied via a secure certified SSL connection on one laptop suddenly got routed to another laptop that happened to be on the same network?

    I must say you'll have a hard time proving such a thing actually happened, any company is going to see it as a user error... Perhaps for example a browser having pre-saved data and the like.

    None the less you could report to to relevant agency's if you believe this happened


  • Registered Users, Registered Users 2 Posts: 10 helenivy


    L1011 wrote: »
    The information leak should be informed to the Data Protection Commissioners - Lastminute should do the same to the ICO in the UK once you have informed them and could be heavily fined for not doing so. Pending but uncompleted payments on a debit card usually take 10 working days to lapse.

    The third friend doesn't have a case for a full refund here.
    Thank you for that -- going to get on to the Data Protection Commissioners now.

    We know she isn't entitled to a full refund but we thought it would be more than €25.

    Lesson learned, that's for sure. Don't take the cheap option.


  • Registered Users, Registered Users 2 Posts: 10 helenivy


    Cabaal wrote: »
    So you're suggesting data supplied via a secure certified SSL connection on one laptop suddenly got routed to another laptop that happened to be on the same network?

    I must say you'll have a hard time proving such a thing actually happened, any company is going to see it as a user error... Perhaps for example a browser having pre-saved data and the like.

    None the less you could report to to relevant agency's if you believe this happened
    Tbh I know how unlikely it sounds. I had sent my friend the link to the booking page but I hadn't any information filled in at that point. We have a screenshot of what came up on her laptop but I don't know how much that proves, unfortunately.

    Anyway, thanks for the response.


  • Registered Users, Registered Users 2 Posts: 4,739 ✭✭✭nava


    helenivy wrote: »
    Tbh I know how unlikely it sounds. I had sent my friend the link to the booking page but I hadn't any information filled in at that point. We have a screenshot of what came up on her laptop but I don't know how much that proves, unfortunately.

    Anyway, thanks for the response.

    It will be unlikely to happen but could it be that the link you sent to your fiend was a summary page with the flights already selected? I wonder if the url you sent included a unique ID that would cause that lastminute thought it was your booking? Something similar to the link here if that works you should see flight from DUB to BCN.


  • Advertisement
  • Registered Users, Registered Users 2 Posts: 10 helenivy


    Yes thats exactly what I sent her and we think that may be what happened. We've made lastminute aware of the fact but we haven't gotten any response.


  • Registered Users, Registered Users 2 Posts: 71,186 ✭✭✭✭L1011


    nava wrote: »
    It will be unlikely to happen but could it be that the link you sent to your fiend was a summary page with the flights already selected? I wonder if the url you sent included a unique ID that would cause that lastminute thought it was your booking? Something similar to the link here if that works you should see flight from DUB to BCN.

    Unique IDs shouldn't leak names etc across sessions. Very easy to generate IDs to scrape data. First post does specify it was more than just the flight numbers.


  • Moderators, Technology & Internet Moderators, Regional South East Moderators Posts: 28,536 Mod ✭✭✭✭Cabaal


    L1011 wrote: »
    Unique IDs shouldn't leak names etc across sessions. Very easy to generate IDs to scrape data. First post does specify it was more than just the flight numbers.

    No unique ID's shouldn't on their own,
    But perhaps a number of factors could have come into play, unique ID's, matching IP address etc?


  • Registered Users, Registered Users 2 Posts: 4,739 ✭✭✭nava


    helenivy wrote: »
    Yes thats exactly what I sent her and we think that may be what happened. We've made lastminute aware of the fact but we haven't gotten any response.

    Do you still have the link? what do you get if you click on it now?
    L1011 wrote: »
    Unique IDs shouldn't leak names etc across sessions. Very easy to generate IDs to scrape data. First post does specify it was more than just the flight numbers.


    You wouldn't be able to see the submitted names as once they are submitted the link probably changes, also the link is probably to that form as it's now.

    My thought was, if both submitted the form with that ID, it caused the confusion on the system that mix data from both forms, from the OP sounds like could be that.

    The url probably doesn't work after been book or after a few hours.


  • Registered Users, Registered Users 2 Posts: 10 helenivy


    nava wrote: »
    Do you still have the link? what do you get if you click on it now?




    You wouldn't be able to see the submitted names as once they are submitted the link probably changes, also the link is probably to that form as it's now.

    My thought was, if both submitted the form with that ID, it caused the confusion on the system that mix data from both forms, from the OP sounds like could be that.

    The url probably doesn't work after been book or after a few hours.
    Still have the link but the particular flights aren't available anymore so it just brings me to a page with further options.


  • Advertisement
  • Registered Users, Registered Users 2 Posts: 71,186 ✭✭✭✭L1011


    nava wrote: »
    Do you still have the link? what do you get if you click on it now?




    You wouldn't be able to see the submitted names as once they are submitted the link probably changes, also the link is probably to that form as it's now.

    My thought was, if both submitted the form with that ID, it caused the confusion on the system that mix data from both forms, from the OP sounds like could be that.

    The url probably doesn't work after been book or after a few hours.

    It's still catastrophically bad programming no matter how it's swung. ICO will be very interested


  • Registered Users, Registered Users 2 Posts: 10 helenivy


    L1011 wrote: »
    It's still catastrophically bad programming no matter how it's swung. ICO will be very interested
    Do you think I should raise this with the ICO as well as the Data Protection Commissioner?


Advertisement