Answer Brief
BWH Hotels, operator of the Best Western brand, confirmed a security incident involving unauthorized access to a web application used for guest reservations. The breach spanned approximately six months, exposing personal guest information from October 2025 through April 2026.
Executive Summary: BWH Hotels, operator of the Best Western brand, confirmed a security incident involving unauthorized access to a web application used for guest reservations. The breach spanned approximately six months, exposing personal guest information from October 2025 through April 2026.
Why It Matters
This incident highlights a significant dwell time of six months where attackers maintained access to guest reservation systems. While BWH Hotels claims that financial and payment data remained secure, the exfiltration of names, addresses, phone numbers, and specific booking details (including check-in dates and special requests) provides high-value material for targeted social engineering. The report of phishing emails appearing as early as February 2026 suggests that the stolen data was weaponized months before the breach was officially detected. For global security teams, this case underscores the risk of third-party or franchise-model web applications as entry points. It also emphasizes the importance of monitoring for 'data staging' or unusual access patterns in reservation portals, which are frequent targets in the hospitality sector due to the high volume of PII they handle.
Event Type: security
Importance: high
Affected Companies
- BWH Hotels
- Best Western Hotels & Resorts
- Sure Hotels
- WorldHotels
Affected Sectors
- Cybersecurity
- Hospitality
- Travel & Tourism
Key Numbers
- Duration of Unauthorized Access: 6 months
- Countries and Regions of Operation: 80+
- Total Global Hotel Locations: 4,200+
Timeline
- Earliest date of unauthorized access according to investigation
- UK users reportedly received phishing emails containing accurate reservation details
- BWH Hotels discovers unauthorized activity and takes the web application offline
- Public disclosure of the incident and notification to affected customers