Skip to content
Data breachContained

Data leak at Best Western Hotels - customer reservations accessed

Best Western parent BWH Hotels disclosed in May 2026 that an unauthorised third party had access to a guest-reservation web application from 14 October 2025 to 22 April 2026, exposing names, emails, phone numbers, postal addresses and booking details; payment data was not affected.

Victim
Best Western Hotels

On 12 May 2026, Best Western Hotels — operating under its parent company BWH Hotels, one of the world's largest hotel networks with more than 4,000 properties across over 100 countries — confirmed that customer reservation data had been exposed in a cyberattack.

According to the company, an unauthorised third party gained access to a web application that holds certain guest-reservation data. The intrusion went undetected for roughly six months, from 14 October 2025 until it was discovered on 22 April 2026. The attack vector was a compromised web application; the specific method of intrusion has not been publicly disclosed, and no known cybercrime group has claimed responsibility.

The exposed data was limited to contact and booking information:

  • First and last name
  • Email address
  • Telephone number
  • Postal address
  • Reservation numbers and dates of stay
  • Booking requests or preferences

BWH Hotels stressed that payment and other financial information was not stored in the affected system and was therefore not accessed.

On discovering the unauthorised activity, the company took the compromised application offline, revoked the attacker's access and opened an investigation with external security experts. Affected guests were notified by email and warned to be vigilant against phishing emails, fraudulent SMS messages and fake reservation portals that criminals could build using the exposed booking details. The exact number of guests affected has not been disclosed.

Sources

  1. fuitesinfos.frhttps://fuitesinfos.fr/article/2026-05-12-best-western-hotels
  2. cyberattaque.orghttps://www.cyberattaque.org/best-western-des-donnees-de-reservation-clients-exposees-apres-une-cyberattaque/
  3. securityweek.comhttps://www.securityweek.com/bwh-hotels-says-hackers-had-access-to-reservation-data-for-6-months/
  4. theregister.comhttps://www.theregister.com/security/2026/05/11/best-western-hotels-confirms-web-app-data-breach/

Related incidents