Hackers sipped data from BWH Hotels' reservation system for over six months

Hospitality giant BWH Hotels said a malicious actor hacked into one of its web applications and exfiltrated customers’ personal and reservation data over a six month period.

 

The Phoenix, Arizona-headquartered hospitality giant, which owns hotels brands like WorldHotels, Best Western Hotels & Resorts and SureStay Hotels, announced the significant data breach in notification letters addressed to affected customers, a copy of which was recently uploaded to Reddit.  

 

In its notification letter, BWH Hotels said it discovered the unauthorised access to the compromised web application on April 22, and quickly moved to sever the unauthorised access and take the web application offline as a precaution.

 

The compromised web application stored certain guest reservation data that included guests’ personal details such as their names, email addresses, telephone numbers, and/or home addresses, as well as reservation numbers, dates of stay and any special requests.

 

BWH Hotels has a significant global presence, operating around 4,300 hotels in more than a hundred countries and territories worldwide and amassing 62 million loyalty program members. Its WorldHotels brand caters to upscale and luxury segments, the Best Western brand operates in the midscale to upper upscale segments, and the SureStay Hotels brand offers affordable stays to value-oriented travelers.

 

The hotel group said an investigation into the data breach incident revealed that the malicious actor hacked into the vulnerable web application on October 14, 2025, and continued to exfiltrate stored information until the unauthorised access was detected and severed on April 22. This indicated that the hotel group failed to detect the unauthorised access for more than six months.

 

"Upon discovering the incident, we immediately took the application offline and revoked the unauthorized access. We have engaged leading external cybersecurity experts to support our incident response efforts and to assist with the further strengthening of existing safeguards," BWH Hotels said.

 

The hospitality giant did not state how many customers were impacted by the security incident or whether the malicious actor had demanded a ransom in exchange for guests’ personal and reservation information. The company is yet to notify US regulators about the incident or offer identity protection or credit monitoring services to affected customers.

 

"We advise guests to be extra vigilant when viewing any unexpected or suspicious communications about hotel stays. If you receive a suspicious communication such as an unexpected email, text, WhatsApp message, or telephone call that asks for payment, codes, logins, or “verification,” even if they reference a BWH Hotels property or an upcoming reservation, do not engage. Navigate to sites directly rather than clicking links," said Bill Ryan, the hotel chain’s chief technology officer.