"BWH Hotels is informing customers about a third-party data breach that gave cybercriminals access to six months' worth of data. The notification email stated that BWH Hotels, which owns the WorldHotels, Best Western Hotels & Resorts, and Sure Hotels brands, identified the intrusion on April 22, but the affected data goes back to October 14, 2025."
"BWH Hotels CTO Bill Ryan, who penned the notification email, said names, email addresses, telephone numbers, and/or home addresses belonging to "certain guests" were accessed by an unauthorized third party. The intruders also accessed reservation details, such as reservation numbers, dates of stay, and any special requests."
"It confirmed that the attack targeted one of its "web applications that houses certain guest reservation data." No payment or bank details were involved. The Register asked BWH Hotels whether the intrusion began in October and went undetected until April, or whether a later breach exposed data dating back to October."
""Upon discovering the incident, we immediately took the application offline and revoked the unauthorized access," said Ryan. "We have engaged leading external cybersecurity experts to support our incident response efforts and to assist with the further strengthening of existing safeguards." "We advise guests to be extra vigilant when viewing any unexpected or suspicious communications about hotel stays. If you receive a suspicious communication such as an unexpected email, text, WhatsApp message, or telephone call that asks for payment, codes, logins, or 'veri"
BWH Hotels notified customers about a third-party data breach that provided unauthorized access to guest information. The intrusion was identified on April 22, but the affected data dates back to October 14, 2025. The accessed data included names, email addresses, telephone numbers, and/or home addresses for certain guests. Reservation details were also accessed, including reservation numbers, dates of stay, and special requests. The breach targeted a web application that houses guest reservation data. No payment or bank details were involved. After discovering the incident, the company took the application offline and revoked unauthorized access, and it engaged external cybersecurity experts. Guests were advised to watch for suspicious communications related to hotel stays, especially messages requesting payment, codes, or logins.
Read at theregister
Unable to calculate read time
Collection
[
|
...
]