BWH Hotels — the parent of Best Western, WorldHotels and Sure Hotels — has confirmed an attacker had access to one of its guest reservation web apps for more than six months before the intrusion was discovered. As reported by The Register, the unauthorised access started on 14 October 2025 and was only detected on 22 April 2026. Names, email addresses, phone numbers, home addresses, reservation numbers, dates of stay and special requests were all exposed for “certain guests” of the group’s 4,500-plus hotels.

The stolen data isn’t credit cards, but it’s exactly what phishing crews need to send convincing fake confirmation emails or pre-arrival “you need to verify your booking” messages. Hospitality guests are easy targets — they’re often travelling, distracted, and used to getting emails from hotel brands at odd hours. For Australian venues this is also now a Privacy Act issue. If a similar breach hit your booking platform, OAIC notification could be required within 30 days, and reputational damage among guests will hit faster than any regulatory penalty.

Three things worth checking this week. One: how long would your booking platform’s logs show an intruder sitting inside? If the answer is “I don’t know”, that’s the gap to close — six months of silent access is the real story here. Two: who has access to your guest database, and is MFA enforced on every account, including third-party integrations? Three: brief your front desk and reservations team on what to do when guests ring about suspicious confirmation emails. They’ll hear about a breach before your monitoring tools will.

Most venues we audit have at least one third-party booking integration running without MFA and with no useful log retention. If you’d like a second set of eyes on yours, our hospitality IT team can walk through what’s exposed and what’s worth fixing first.