BWH Hotels reports prolonged reservation system compromise with potential guest data exposure
Summary
Hide ▲
Show ▼
A hospitality group operating over 4,000 hotels worldwide disclosed a security incident where threat actors maintained unauthorized access to a guest reservation web application for approximately six months. The intrusion was detected on April 22, 2026, with evidence showing initial compromise on October 14, 2025. Attackers accessed guest reservation data including names, email addresses, phone numbers, and reservation details, though payment information was not stored in the affected system. The application was taken offline immediately upon discovery, and an external investigation was initiated. While the scope of affected individuals remains undisclosed, the hotel group has warned that stolen data may be used for subsequent phishing and scam campaigns.
Timeline
-
12.05.2026 17:30 1 articles · 1h ago
Six-month unauthorized access to BWH Hotels reservation system disclosed
Threat actors gained and maintained unauthorized access to a BWH Hotels reservation web application from October 14, 2025, until discovery on April 22, 2026. The breach exposed guest reservation data including names, email addresses, phone numbers, and reservation details, while payment information remained unaffected. The compromised application was taken offline immediately, and an external investigation was initiated.
Show sources
- BWH Hotels Says Hackers Had Access to Reservation Data for 6 Months — www.securityweek.com — 12.05.2026 17:30
Information Snippets
-
The intrusion into BWH Hotels’ reservation web application was first detected on April 22, 2026.
First reported: 12.05.2026 17:301 source, 1 articleShow sources
- BWH Hotels Says Hackers Had Access to Reservation Data for 6 Months — www.securityweek.com — 12.05.2026 17:30
-
Threat actors had continuous unauthorized access to the affected system from October 14, 2025, to the date of discovery.
First reported: 12.05.2026 17:301 source, 1 articleShow sources
- BWH Hotels Says Hackers Had Access to Reservation Data for 6 Months — www.securityweek.com — 12.05.2026 17:30
-
Compromised data included guest names, email addresses, phone numbers, and reservation details.
First reported: 12.05.2026 17:301 source, 1 articleShow sources
- BWH Hotels Says Hackers Had Access to Reservation Data for 6 Months — www.securityweek.com — 12.05.2026 17:30
-
Payment and financial information were not stored in the affected system and thus not accessed by the attackers.
First reported: 12.05.2026 17:301 source, 1 articleShow sources
- BWH Hotels Says Hackers Had Access to Reservation Data for 6 Months — www.securityweek.com — 12.05.2026 17:30
-
BWH Hotels operates over 4,000 hotels globally under brands including WorldHotels, Best Western Hotels & Resorts, and Sure Hotels.
First reported: 12.05.2026 17:301 source, 1 articleShow sources
- BWH Hotels Says Hackers Had Access to Reservation Data for 6 Months — www.securityweek.com — 12.05.2026 17:30
-
The compromised web application was taken offline immediately after discovery, and an investigation was conducted with external security experts.
First reported: 12.05.2026 17:301 source, 1 articleShow sources
- BWH Hotels Says Hackers Had Access to Reservation Data for 6 Months — www.securityweek.com — 12.05.2026 17:30