BWH Hotels – parent company of WorldHotels, Best Western, and the SureStays hotel brands is notifying guests that its reservations systems were hacked last October, warning their personal data may have been exposed for months.

BWH Hotels confirmed hackers lurked inside its reservation systems for months before the company discovered the breach.
Thousands of guest reservations tied to Best Western and other BWH brands may have been exposed, raising phishing risks for travelers
The company is now warning guests to watch for fake booking pages, suspicious messages, and urgent payment requests.

Key Takeaways by nexos.ai, reviewed by Cybernews staff.

The global hospitality giant, which boasts a brand portfolio of more than 4,500 hotels located in 100 countries, began sending breach notifications to affected guests last week, according to the Irish Information Security Forum (IISF).

BWH Hotels said it first discovered the hackers lurking in the company’s reservation systems on April 22nd – and admitted that the criminals had been inside the network for more than six months – alongside the sensitive data of tens of thousands of hotel guests.

“We first identified unauthorized activity in one of our web applications that houses certain guest reservation data,” the BWH notice said, adding that the bad actor was tracked inside the system from October 14th, 2025, to April 22nd, 2026.

BWH Hotels breach notification sent to affected guests. Image via Irish Information Security Forum (IISF)

Although BWH did not disclose the exact number of guests affected by the breach, the company says it has more than 53 million members in its BWH global loyalty program.

The hospitality group holds three major hotel brands, including the luxury-curated WorldHotels, the mid-tier Best Western Hotels chain, and the budget-friendly SureStay Hotels, each with its own branded collection of distinctive hotels.

To put it in perspective, in Great Britain alone, BWH had roughly 20,000 rooms available for guests to book as of 2025 – meaning the potential scope of the breach could be massive.

BWH Hotel brands — BWH Hotels operates more than 4,500 properties worldwide. bwhhotels.com

What guest data was compromised?

BWH says once it became aware of the breach, IT teams “immediately took the application offline and revoked the unauthorized access.”

After bringing in external cybersecurity experts to investigate, the company said it has determined the reservation data accessed by the threat actor during that six-month time period may include:

Names
Email addresses
Telephone numbers
Home addresses
Reservation numbers
Dates of stay
Special requests
Other reservation details

The company noted that payment and other financial information were not stored in the affected system and therefore were not accessed.

online reservation system — Guest reservation details may have been exposed in the breach. Image by M-Production | Shutterstock

BWH Hotels said it “takes the privacy and security of our guests' personal information very seriously,” and that hotel guests can contact BWH Hotels' data protection office with further questions.

It also said the security experts are assisting BWH to strengthen existing safeguards.

“We appreciate your understanding and sincerely apologize for any inconvenience or concern this incident may cause you,” said BWH Hotels Chief Technology Officer Bill Ryan, who signed the breach notification letter.

Guests warned of phishing attacks

BWH is warning affected guests to be on high alert for phishing attempts tied to hotel stays, reservations, or payment requests.

A recent hack of Booking.com revealed in mid-April also had the travel site warning its millions of users about an uptick in phishing attacks – with dozens of customers reporting fake emails and WhatsApp messages claiming to be from the booking behemoth.

employee phishing attack — BWH warns guests to watch for fake booking scams and phishing messages. Image by Gumbariya | Shutterstock

“We advise guests to be extra vigilant when viewing any unexpected or suspicious communications about hotel stays,” it said, adding always to verify the web address, even if the message references a real BWH Hotels property or upcoming reservation.

The company reminds potential victims that suspicious messages can go beyond emails and include texts, WhatsApp messages, and phone calls, oftentimes containing requests that feel urgent, unexpected, or unfamiliar.

Guests should avoid clicking any booking links in those messages and instead navigate directly to official hotel or booking websites, it said.

Don't miss our latest stories on Google News. Add us as your Preferred Source on Google

BWH also warns that scammers can spoof sender addresses and create fake web pages that resemble the hotel’s legitimate booking pages, asking for payment, verification codes, login credentials, or personal information.

Founded in 1946 and headquartered in Pheonix, Arizona, BWH has generated over $8 billion in revenue annually since 2023, according to its website and industry stats.

So far, no threat actor has come forward to claim the hack.