Hackers accessed BWH Hotels reservation system for months
May 12, 2026 
BWH Hotels says hackers accessed guest reservation data, including names and contacts, for over six months across multiple hotel brands.
BWH Hotels disclosed a data breach, with threat actors having had access to guest reservation data for more than six months. The incident exposed names and contact details of an undisclosed number of guests.
BWH Hotels is one of the world’s largest hotel networks, operating more than 4,000 hotels in over 100 countries. The group was created from the evolution of Best Western and today manages a multi-brand portfolio ranging from budget to luxury hospitality.
The hospitality group included brands such as Best Western Hotels & Resorts, WorldHotels, and Sure Hotels.
BWH Hotels disclosed that hackers accessed a reservation system between October 2025 and April 2026, exposing guest contact details and stay information.
“We are writing to let you know that on April 22, 2026, we identified unauthorized activity in one of our web applications that houses certain guest reservation data.” reads the data breach notification sent to the affected customers. “We have learned that certain guests’ names, email addresses, telephone numbers, and/or home addresses, along with other reservation details (e.g., reservation numbers, dates of stay, and any special requests) for reservations in our system were accessed by an unauthorized third‑party between October 14, 2025 and April 22, 2026, including yours.”
The company pointed out that payment data was not stored in the affected system and therefore was not compromised.
“Importantly, payment and other financial information was not stored in the affected system and therefore was not accessed.” continutes the notification.
After discovering the intrusion, BWH took the application offline, revoked access, and hired external cybersecurity experts to support the investigation and strengthen protections.
Guests were also warned to watch for phishing emails, texts, calls, or fake booking messages exploiting the stolen reservation data.
BWH Hotels urged guests to stay alert for phishing emails, fake booking pages, and suspicious payment requests following the breach.
The company recommends customers to verify website addresses before entering payment details and contact their bank immediately if financial data was shared with scammers.
BWH also apologized for the incident and provided support through its data protection office.
At this time, no known cybercriminal group has claimed responsibility for the attack targeting BWH Hotels.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
Pierluigi Paganini
(SecurityAffairs – hacking, data breach)
