HOSPITALITY group BWH Hotels says hackers had access to a web application housing some guest reservation data for more than six months. Emails sent to customers show the intrusion was discovered on 22 April 2026, with investigators finding that threat actors had access since 14 October 2025. The data accessed included guests’ names, email addresses, phone numbers, and reservation details, while payment and other financial information were not stored in the affected system and therefore were not accessed.
BWH Hotels operates more than 4,000 hotels worldwide, including brands such as WorldHotels, Best Western Hotels & Resorts, and Sure Hotels. It remains unclear how many individuals were affected by the breach. The company offline the compromised application and engaged external security experts to assist with the investigation, and it warned of potential phishing or scam risks resulting from the stolen data.