Summit Hotel Properties, a publicly traded real estate investment trust (REIT) specializing in upscale U.S. hotels, suffered a data breach in October 2025. An external threat actor, the hacking group Worldleaks, infiltrated corporate servers and exfiltrated sensitive personally identifiable information (PII), including names, dates of birth, addresses, phone numbers, email addresses, and Social Security numbers. The breach was contained within 24 hours, but Worldleaks threatened to publish the stolen data on the dark web. While initially reporting only one affected individual in New Hampshire, the investigation remains ongoing, suggesting a potentially broader impact. The company offered 24 months of complimentary identity theft protection (Kroll) and disclosed the incident to the New Hampshire Attorney General’s office on November 21, 2025. Affected individuals may face risks of identity theft, financial fraud, and emotional distress, with legal recourse available for compensation.
Source: https://www.claimdepot.com/investigations/summit-hotel-properties-data-breach-2025
Summit Hotels & Resorts cybersecurity rating report: https://www.rankiteo.com/company/summit-hotelsandresorts
"id": "SUM4620446112525",
"linkid": "summit-hotelsandresorts",
"type": "Breach",
"date": "5/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'At least 1 (New Hampshire), '
'investigation ongoing for full '
'scope',
'industry': 'Hospitality / Lodging',
'location': 'Austin, Texas, USA',
'name': 'Summit Hotel Properties',
'size': '~85 employees',
'type': 'Publicly Traded Real Estate Investment Trust '
'(REIT)'}],
'customer_advisories': ['Data breach notifications sent to affected '
'individuals',
'Offer of 24 months of Kroll identity theft '
'protection',
'Guidance on monitoring accounts and placing fraud '
'alerts'],
'data_breach': {'data_exfiltration': True,
'file_types_exposed': ['Documents'],
'personally_identifiable_information': ['Name',
'Date of Birth',
'Address',
'Phone number',
'Email address',
'Social Security '
'number'],
'sensitivity_of_data': 'High (includes SSNs)',
'type_of_data_compromised': ['Personally Identifiable '
'Information (PII)',
'Corporate documents']},
'date_detected': '2025-10-05',
'date_publicly_disclosed': '2025-11-21',
'date_resolved': '2025-10-06',
'description': 'Summit Hotel Properties, a publicly traded real estate '
'investment trust (REIT), experienced a data breach where an '
'external threat actor accessed corporate servers and '
'exfiltrated documents containing personally identifiable '
"information (PII). The hacking group 'Worldleaks' claimed "
'responsibility and threatened to publish the stolen data on '
'the dark web. The breach was contained within a day, and '
'affected individuals may be eligible for compensation.',
'impact': {'brand_reputation_impact': 'Potential reputational damage due to '
'exposure of PII and threat of dark web '
'publication',
'data_compromised': ['Name',
'Date of Birth',
'Address',
'Phone number',
'Email address',
'Social Security number'],
'identity_theft_risk': 'High (PII including SSNs exposed)',
'legal_liabilities': 'Potential lawsuits and compensation claims '
'from affected individuals',
'systems_affected': ['Corporate servers']},
'initial_access_broker': {'data_sold_on_dark_web': 'Threatened (by '
'Worldleaks)',
'high_value_targets': ['Corporate servers '
'containing PII']},
'investigation_status': 'Ongoing (full scope of breach not yet determined as '
'of Nov. 21, 2025)',
'ransomware': {'data_exfiltration': True},
'recommendations': ['Sign up for complimentary 24 months of Kroll identity '
'theft protection',
'Monitor financial statements for suspicious activity',
'Place a fraud alert on credit reports',
'Request free annual credit reports from major bureaus',
'Seek legal counsel for compensation claims'],
'references': [{'source': 'Shamis & Gentile P.A. Investigation Notice'}],
'regulatory_compliance': {'legal_actions': ['Potential class-action lawsuits '
'by affected individuals (led by '
'Shamis & Gentile P.A.)'],
'regulatory_notifications': ['New Hampshire '
'Attorney General’s '
'office']},
'response': {'communication_strategy': ['Public disclosure to New Hampshire '
'Attorney General’s office',
'Customer notifications (ongoing)'],
'containment_measures': 'Immediate steps taken to contain the '
'incident within 24 hours',
'incident_response_plan_activated': True,
'law_enforcement_notified': True,
'recovery_measures': ['24 months of complimentary Kroll identity '
'theft protection for affected '
'individuals'],
'third_party_assistance': ['Cybersecurity experts (forensic and '
'remediation)',
'Kroll (identity theft protection '
'services)']},
'threat_actor': 'Worldleaks',
'title': 'Summit Hotel Properties Data Breach',
'type': 'Data Breach'}