I Have a Moral Dilemma, Please Help
Recently, I received an email from my airline company informing me that our flight times had been unavoidably changed.
Not hugely, you understand. A mere half hour earlier.
But as we were being picked up at the other side by a driver, I didn’t see the point of hanging around waiting with all our luggage, so I logged into the transfer operator’s website to make amends.
The website was having none of it.
All I kept seeing was a blank drop down menu, so I hit the back button while I thought of a Plan B.
And that’s where it got interesting.
My login details on the banner header had now changed to that of a well known travel company with which the site owner had an account.
Confused, I hit the “My profile” tab and there was the Head Office address of said travel company, address, phone number, etc.
This was verifiable because where my name had been, it now said in bold letters “Welcome to your ****** account. You have 20,458 upcoming trips.”
I have what now?
I went cold.
Not really knowing if what I was doing was even legal, though I hadn’t done anything but login under my own name, I looked at my husband silently and hovered my cursor over the “My Trips” tab.
“Do it,” he said.
With one click I started to read a scrolling list of people’s names, addresses, telephone numbers…
I shut it down.
Sweet Baby Jesus!
My only option now was to email the travel company immediately and let them know that this data breach was in progress! Looking at the their website, I saw a ‘chat’ option, so after getting passed onto a supervisor, I quickly explained what had happened.
He asked me to provide a screenshot of my login screen.
I reopened the site.
It (thankfully) had timed me out and was now operating as normal.
I logged back in under my name and password and my details came into view.
“Welcome to your ****** account. You have 2 upcoming trips.”
I explained this to the chat supervisor. He seemed disappointed.
I’ve never felt so relieved.
Then I hit the back button…
And started taking screenshots.
I didn’t send all 20,458 pages.
Instead, I sent him 3:
- The title page of his company, showing the Head Office address, email address, account number.
- The login page of the site owner with the option to change their password (at my itchy fingertips)
- The header page of the 20,458 traveller list, showing times, dates, pick up points, airports, travel options.
I did not look at the Billing Tab.
The chat supervisor told me he would see to this issue immediately and was there anything else he could help me with.
I explained about the early flight. He told me this was something beyond his control and I needed to contact the vendor directly.
I told him the site was behaving erratically and I didn’t want to use it again until it was fixed, and as he now had to contact them himself to stop 20,000+ people losing their data in a massive breach of security, could he not just mention that my flight had been brought in earlier.
He said he would see what he could do.
The next morning, I received an email from the passenger transfer company, saying that they had been notified of the change of flight, and that our transportation had been updated successfully.
“Please see your new details to be printed out.”
Not ONE word about the 20,458 personal data breach.
Not from them, and certainly not from the travel company.
But I did still have those screenshots...
One that I didn’t send to the supervisor, was the first page I saw when I opened the “My Trips” tab. I didn’t want to be held responsible for pinging all those confidential details across the internet, and for good reason.
It had about a dozen names and addresses in clear view.
Some had UK phone numbers on them.
So, here’s my dilemma:
Should I call and tell those folks what happened, and why I just happen to have their personal mobile phone numbers?
Or should I delete the whole lot?
Is ignorance bliss?
Or do I have a moral duty to spill the beans?
What would you do?
