BWH Hotels Discloses Third-Party Data Breach Affecting Guest Information
BWH Hotels, the parent company of brands including WorldHotels, Best Western Hotels & Resorts, and Sure Hotels, has notified customers of a third-party data breach exposing six months of guest reservation data. The intrusion was detected on April 22, 2025, but the compromised data spans from October 14, 2024, to the discovery date.
According to CTO Bill Ryan, unauthorized access targeted a web application storing guest reservation details. Exposed information includes names, email addresses, phone numbers, home addresses, reservation numbers, stay dates, and special requests. The company confirmed that no payment or banking details were accessed.
The breach’s timeline remains unclear whether the attack began in October and went undetected or if a later incident exposed archived data. BWH Hotels has not responded to inquiries about potential ties to a March 2025 report of stolen booking data being used in phishing campaigns, which the company previously neither confirmed nor denied.
Upon discovery, BWH Hotels took the affected application offline, revoked unauthorized access, and engaged external cybersecurity experts to bolster defenses. The company has not disclosed the number of affected guests.
BWH Hotels cybersecurity rating report: https://www.rankiteo.com/company/bwhhotels
"id": "BWH1778510481",
"linkid": "bwhhotels",
"type": "Breach",
"date": "10/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'industry': 'Hospitality',
'name': 'BWH Hotels',
'type': 'Parent Company'},
{'industry': 'Hospitality',
'name': 'WorldHotels',
'type': 'Brand'},
{'industry': 'Hospitality',
'name': 'Best Western Hotels & Resorts',
'type': 'Brand'},
{'industry': 'Hospitality',
'name': 'Sure Hotels',
'type': 'Brand'}],
'attack_vector': 'Third-party web application',
'customer_advisories': 'Customer notification sent',
'data_breach': {'personally_identifiable_information': 'Yes',
'sensitivity_of_data': 'Personally identifiable information '
'(PII)',
'type_of_data_compromised': ['Names',
'Email addresses',
'Phone numbers',
'Home addresses',
'Reservation numbers',
'Stay dates',
'Special requests']},
'date_detected': '2025-04-22',
'description': 'BWH Hotels, the parent company of brands including '
'WorldHotels, Best Western Hotels & Resorts, and Sure Hotels, '
'has notified customers of a third-party data breach exposing '
'six months of guest reservation data. The intrusion was '
'detected on April 22, 2025, but the compromised data spans '
'from October 14, 2024, to the discovery date. Exposed '
'information includes names, email addresses, phone numbers, '
'home addresses, reservation numbers, stay dates, and special '
'requests. No payment or banking details were accessed.',
'impact': {'data_compromised': 'Guest reservation data',
'identity_theft_risk': 'Potential',
'payment_information_risk': 'None',
'systems_affected': 'Web application storing guest reservation '
'details'},
'references': [{'source': 'Cyber Incident Description'}],
'response': {'communication_strategy': 'Customer notification',
'containment_measures': 'Took the affected application offline, '
'revoked unauthorized access',
'remediation_measures': 'Bolstered defenses',
'third_party_assistance': 'External cybersecurity experts'},
'title': 'BWH Hotels Discloses Third-Party Data Breach Affecting Guest '
'Information',
'type': 'Data Breach'}