VYPR
breachPublished May 11, 2026· Updated May 17, 2026· 1 source

BWH Hotels Confirms Data Breach Exposing Six Months of Guest Reservation Records

BWH Hotels has confirmed that a web application breach exposed six months of guest reservation data, though the company maintains that no financial information was compromised.

BWH Hotels, the parent company of Best Western Hotels & Resorts, WorldHotels, and Sure Hotels, has confirmed a significant data breach involving one of its web applications used to store guest reservation information. The company discovered the unauthorized access on April 22, 2026, and subsequently took the affected application offline to revoke the intruders' access The Register.

According to BWH Hotels CTO Bill Ryan, the breach exposed a six-month window of data, spanning from October 14, 2025, to the date of discovery in April The Register. While the company has not clarified whether the intrusion persisted undetected for that entire duration or if a later breach simply accessed historical records, the compromised information includes names, email addresses, telephone numbers, and home addresses. Additionally, attackers gained access to specific reservation details, including reservation numbers, dates of stay, and special requests made by guests The Register.

BWH Hotels has explicitly stated that no payment or financial information was stored within the compromised web application, meaning no credit card or banking data was exposed in this incident The Register. Despite this, the nature of the stolen data—specifically reservation details—poses a significant risk for targeted phishing campaigns. The company has advised guests to remain vigilant against suspicious communications, such as unexpected emails, texts, or phone calls requesting payments, verification codes, or login credentials, even if those messages appear to reference legitimate upcoming stays The Register.

In response to the incident, BWH Hotels has engaged external cybersecurity experts to assist with incident response and the strengthening of existing security safeguards The Register. The company confirmed that it has notified the appropriate regulatory agencies regarding the breach. However, BWH Hotels has declined to provide further details regarding the specific nature of the vulnerability or whether the incident is linked to reports from March regarding stolen booking data being utilized in phishing attacks The Register.

This incident highlights the ongoing risks associated with third-party web applications that house sensitive customer data. As organizations increasingly rely on interconnected reservation systems, the exposure of even "limited" contact and booking information can provide threat actors with the necessary context to conduct highly convincing social engineering attacks. Guests are encouraged to navigate directly to official hotel websites rather than clicking on links provided in unsolicited communications The Register.

Synthesized by Vypr AI