News Online

Why is TUI broadcasting children’s names and hotel room numbers on WhatsApp?

July 15, 2019
3 Min Read
beach holiday
Children at risk: TUI broadcasts names and room numbers on WhatsApp

A TUI hotel is putting children at risk by broadcasting their personal information over social media.

Click here to read our latest update on the story if you’ve read it before

Six weeks ago, I went on holiday to a TUI-operated hotel in Cancun, Mexico. Our daughter joined the kids club at the hotel, and we were asked to hand over our mobile phone numbers so that the kids club staff could contact us.

Our mobile phone numbers were added to a WhatsApp group, along with all the other parents whose children had joined the kids club. This was used to broadcast information about the club’s activities, but alarmingly it was also used by both the hotel staff and other parents to share detailed personal information that could put their children’s safety at risk.

Hotel staff would broadcast the room numbers of children that needed collecting, allowing anyone in the group to know precisely which rooms contained young children:

TUI WhatsApp

On other occasions, hotel staff would broadcast the names of children that required collection, with parents’ responses allowing third parties to see the names and telephone number of the parent:

TUI WhatsApp

Similarly, parents would often message the kids club, sharing the names of their children AND their room numbers – a practice that was never discouraged by staff:

TUI WhatsApp

Such messages were frequent throughout the day, making it simple for anyone in the group to compile a list of children’s names and their room numbers.

Worse still, six weeks after returning from the holiday, I still haven’t been removed from the WhatsApp group and continue to receive messages of a similar nature.

What does TUI have to say?

I first wrote about this security breach in my monthly column for PC Pro, which is on sale now.

I didn’t name the hotel – as I haven’t in this article – because I didn’t want to give potential child abductors an easy target. However, I did write in PC Pro that I would be contacting the TUI press office to warn them of the danger their kids club WhatsApp group posed.

When I rang the TUI press office in early June to report my fears, I was told to send an email. The company hasn’t bothered to reply to that message and, as revealed above, the WhatsApp group continues to broadcast children’s names and room numbers to ‘guests’ who have long since left the hotel.

It’s been 12 year since Madeleine McCann went missing – presumed abducted – on holiday. It’s hard to believe any holidaymaking British parent has forgotten about the case, let alone a British holiday operator. TUI needs to review its security, urgently.

UPDATE – 1st August 2019

Two months after my holiday in Mexico ended, TUI finally kicked me and many others out of the WhatsApp group.

That certainly doesn’t mean TUI has wised up or the danger has passed. The group is still running and even though I’m no longer a member, I can still see the telephone numbers and names of the 25 parents who are still in the group. This is, at the very best, breaching the personal data of those involved.

Meanwhile, TUI still hasn’t responded to my complaint. It’s time to raise it beyond the press office and write to the CEO.

READ NEXT: A security consultant’s guide to password managers

Tags

About the author

View All Posts

Barry Collins

Barry has scribbled about tech for almost 20 years for The Sunday Times, PC Pro, WebUser, Which? and many others. He was once Deputy Editor of Mail Online and remains in therapy to this day. Email Barry at barry@bigtechquestion.com.

Add Comment

Click here to post a comment

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.