A TUI hotel is putting children at risk by broadcasting their personal information over social media.
Six weeks ago, I went on holiday to a TUI-operated hotel in Cancun, Mexico. Our daughter joined the kids club at the hotel, and we were asked to hand over our mobile phone numbers so that the kids club staff could contact us.
Our mobile phone numbers were added to a WhatsApp group, along with all the other parents whose children had joined the kids club. This was used to broadcast information about the club’s activities, but alarmingly it was also used by both the hotel staff and other parents to share detailed personal information that could put their children’s safety at risk.
Hotel staff would broadcast the room numbers of children that needed collecting, allowing anyone in the group to know precisely which rooms contained young children:
On other occasions, hotel staff would broadcast the names of children that required collection, with parents’ responses allowing third parties to see the names and telephone number of the parent:
Similarly, parents would often message the kids club, sharing the names of their children AND their room numbers – a practice that was never discouraged by staff:
Such messages were frequent throughout the day, making it simple for anyone in the group to compile a list of children’s names and their room numbers.
Worse still, six weeks after returning from the holiday, I still haven’t been removed from the WhatsApp group and continue to receive messages of a similar nature.
What does TUI have to say?
I first wrote about this security breach in my monthly column for PC Pro, which is on sale now.
I didn’t name the hotel – as I haven’t in this article – because I didn’t want to give potential child abductors an easy target. However, I did write in PC Pro that I would be contacting the TUI press office to warn them of the danger their kids club WhatsApp group posed.
When I rang the TUI press office in early June to report my fears, I was told to send an email. The company hasn’t bothered to reply to that message and, as revealed above, the WhatsApp group continues to broadcast children’s names and room numbers to ‘guests’ who have long since left the hotel.
It’s been 12 year since Madeleine McCann went missing – presumed abducted – on holiday. It’s hard to believe any holidaymaking British parent has forgotten about the case, let alone a British holiday operator. TUI needs to review its security, urgently.
UPDATE – 1st August 2019
Two months after my holiday in Mexico ended, TUI finally kicked me and many others out of the WhatsApp group.
That certainly doesn’t mean TUI has wised up or the danger has passed. The group is still running and even though I’m no longer a member, I can still see the telephone numbers and names of the 25 parents who are still in the group. This is, at the very best, breaching the personal data of those involved.
Meanwhile, TUI still hasn’t responded to my complaint. It’s time to raise it beyond the press office and write to the CEO.