BWH Hotels Reports Six‑Month Undetected Reservation Data Breach

BWH Hotels operates more than 4,000 properties worldwide under brands such as WorldHotels, Best Western Hotels & Resorts and Sure Hotels. The breach involved a web application that stored reservation records but not financial data. After detecting the intrusion, the company took the application offline and engaged external security experts to investigate.

- Access began on October 14 2025 and lasted until discovery on April 22 2026, a span of roughly six months. - Compromised fields: guest names, email addresses, phone numbers, reservation dates, room types and special requests. - Payment card data and other financial information were not stored in the affected system, so they were not accessed. - The exact number of affected individuals has not been disclosed. - No ransom note or public claim from a known cybercrime group has been observed.

The long dwell time highlights gaps in monitoring of internal web applications. Attackers likely used valid credentials or exploited a public‑facing flaw (MITRE ATT&CK T1190) to gain entry, then moved laterally to the reservation database (T1059). Because payment data was isolated, the breach demonstrates the value of network segmentation.