BWH Hotels, the parent company behind Best Western Hotels & Resorts, WorldHotels, and SureStay Hotels, has disclosed a data breach after hackers gained access to guest reservation systems for more than six months.
According to notices sent to affected customers, the company discovered unauthorized activity on April 22, 2026, involving a web application used to store hotel reservation information. Investigators later determined that attackers had access to the system between October 14, 2025, and April 22, 2026.
The compromised information includes guest names, email addresses, phone numbers, home addresses, reservation numbers, stay dates, and special requests associated with hotel bookings. BWH Hotels said payment card and banking information were not affected because financial data was not stored in the impacted application.
The company has not disclosed how many guests were impacted by the breach. However, BWH Hotels operates more than 4,000 hotels worldwide across multiple brands, including Best Western, WorldHotels, and Sure Hotels.
BWH Hotels said attackers exploited a vulnerability in one of its web applications to gain unauthorized access to reservation data. After discovering the intrusion, the company took the affected application offline, revoked unauthorized access, and launched an investigation with the help of external cybersecurity experts.
In customer notifications, the company warned guests to be cautious of phishing emails, suspicious text messages, fake booking pages, and fraudulent phone calls referencing hotel reservations. BWH specifically advised customers not to respond to unexpected requests for payments, login credentials, verification codes, or personal information.
The breach raises concerns because exposed reservation information can be highly valuable for scammers. Cybercriminals can use legitimate booking details, hotel names, travel dates, and contact information to create convincing phishing campaigns targeting travelers with fake payment requests or fraudulent reservation updates.
BWH Hotels also warned that attackers may attempt to impersonate hotel staff or customer support representatives using stolen reservation details to make scams appear legitimate. The company recommended that customers navigate directly to official hotel websites instead of clicking links in emails or messages.
The hospitality industry has become a frequent target for cyberattacks because hotel systems store large amounts of personal information tied to reservations, travel plans, loyalty accounts, and payment activity. Reservation systems are particularly attractive to attackers because they often contain detailed customer contact data that can later be abused in phishing operations.