BWH Hotels Confirms Cyberattack, Exposing Customer Data in 2026 Breach
BWH Hotels, a global hospitality chain operating over 4,300 properties across 100+ countries, confirmed a cyberattack on April 22, 2026, resulting in the theft of sensitive customer data. The breach targeted a vulnerable web application storing guest reservation information, exposing names, email addresses, phone numbers, postal addresses, and reservation details including stay dates and special requests. Data compromised spanned records generated between October 14, 2025, and April 22, 2026, though the duration of the attackers’ undetected access remains unclear.
Notably, payment and banking details were not affected, as the compromised system did not store such information. Upon discovery, BWH Hotels took the application offline, revoked unauthorized access, and engaged external cybersecurity experts to investigate and reinforce security measures. The company also warned customers to remain cautious of phishing attempts, advising against interacting with suspicious communications referencing hotel stays or reservations.
BWH Hotels serves as the parent company for brands including Best Western Hotels & Resorts, WorldHotels, and SureStay Hotels, with annual revenues exceeding $8.5 billion. The incident underscores the ongoing risks to hospitality data, particularly in systems handling guest reservations.
BWH Hotels cybersecurity rating report: https://www.rankiteo.com/company/bwhhotels
"id": "BWH1778596643",
"linkid": "bwhhotels",
"type": "Breach",
"date": "4/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'Records generated between '
'October 14, 2025, and April 22, '
'2026',
'industry': 'Hospitality',
'location': 'Global (100+ countries)',
'name': 'BWH Hotels',
'size': '4,300+ properties, $8.5B annual revenue',
'type': 'Hospitality Chain'}],
'attack_vector': 'Vulnerable web application',
'customer_advisories': 'Warning issued about phishing attempts referencing '
'hotel stays or reservations',
'data_breach': {'data_exfiltration': 'Yes',
'personally_identifiable_information': 'Names, email '
'addresses, phone '
'numbers, postal '
'addresses',
'sensitivity_of_data': 'High (PII and reservation details)',
'type_of_data_compromised': 'Guest reservation information'},
'date_detected': '2026-04-22',
'date_publicly_disclosed': '2026-04-22',
'description': 'BWH Hotels confirmed a cyberattack on April 22, 2026, '
'resulting in the theft of sensitive customer data, including '
'names, email addresses, phone numbers, postal addresses, and '
'reservation details. The breach targeted a vulnerable web '
'application storing guest reservation information.',
'impact': {'data_compromised': 'Names, email addresses, phone numbers, postal '
'addresses, reservation details (stay dates '
'and special requests)',
'identity_theft_risk': 'High',
'operational_impact': 'Web application taken offline',
'payment_information_risk': 'None (payment details not stored in '
'compromised system)',
'systems_affected': 'Guest reservation web application'},
'investigation_status': 'Ongoing',
'references': [{'source': 'BWH Hotels Incident Disclosure'}],
'response': {'communication_strategy': 'Customer advisory issued warning of '
'phishing risks',
'containment_measures': 'Web application taken offline, '
'unauthorized access revoked',
'incident_response_plan_activated': 'Yes',
'remediation_measures': 'Security reinforcements implemented',
'third_party_assistance': 'External cybersecurity experts '
'engaged'},
'title': 'BWH Hotels Cyberattack and Data Breach',
'type': 'Data Breach'}