BWH Hotels Data Breach Exposes Guest Reservation Data for Six Months
BWH Hotels disclosed that attackers accessed a web application containing guest reservation data for over six months, from October 2025 to April 2026, exposing names, emails, and reservation details.
BWH Hotels, the hospitality group behind brands such as Best Western Hotels & Resorts, WorldHotels, and Sure Hotels, has disclosed a data breach that exposed guest reservation data for more than six months. The company operates over 4,000 hotels worldwide and began notifying affected customers after discovering the intrusion on April 22, 2026.
According to emails sent to impacted guests, the attackers gained access to a web application housing some guest reservation data on October 14, 2025, and maintained that access until April 22, 2026. The exposed information includes names, email addresses, phone numbers, and reservation details. Critically, BWH Hotels stated that "payment and other financial information was not stored in the affected system and therefore was not accessed."
The company took the compromised application offline immediately upon discovery and launched an investigation with the assistance of external security experts. BWH Hotels has not disclosed the total number of individuals affected, and no known cybercrime group has claimed responsibility for the attack. The hotel group expressed concern that attackers may use the stolen data for targeted phishing and social engineering scams.
This incident highlights the persistent threat to the hospitality sector, which handles large volumes of personal data and often relies on interconnected reservation systems. The long dwell time of over six months suggests the attackers may have exfiltrated data over an extended period, increasing the potential for downstream fraud.
BWH Hotels has not yet provided details on how the web application was compromised or whether additional security measures have been implemented beyond taking the system offline. The company is likely to face regulatory scrutiny depending on the jurisdictions affected, particularly under data protection laws such as GDPR in Europe and state breach notification laws in the United States.
The breach follows a pattern of attacks targeting the hospitality industry, including recent incidents at Booking.com and nightclub giant RCI Hospitality. The sector's reliance on third-party booking platforms and customer-facing web applications makes it a prime target for data theft and ransomware.
As the investigation continues, affected guests are advised to remain vigilant against unsolicited communications requesting personal or financial information. BWH Hotels has not yet offered credit monitoring or identity protection services to impacted individuals, but such measures may be announced as the scope of the breach becomes clearer.