Best Western Hotels warns customers reservation data may have been spilled in breach

News
By published

Unnamed attackers stole data on an undisclosed number of Best Western customers

Illustration of a hooked email hovering over a mobile phone
(Image credit: Getty Images)
  • BWH Hotels confirmed a cyberattack on April 22, 2026, stealing customer names, emails, phone numbers, postal addresses, and reservation details
  • Attackers exploited a flaw in a web app holding guest reservation data, but payment and bank details were not affected
  • Company took the app offline, engaged external experts, and urged customers to stay vigilant against suspicious communications

BWH Hotels, a major global hospitality chain operating thousands of hotels around the world, has confirmed suffering a cyberattack and losing sensitive customer data.

In a data breach notification recently sent to affected individuals, the company’s Chief Technology Officer (CTO) Bill Ryan said the attack was spotted on April 22, 2026. The crooks stole sensitive data, including people’s names, email addresses, telephone numbers, and postal addresses, of a yet undetermined number of people.

Reservation details, including reservation numbers, dates of stay, and special requests, were also nabbed.

Latest Videos From

A warning to users

The data was generated between October 14, 2025, and April 22, 2026, but it was left unclear how long the crooks lurked within BWH Hotels’ systems.

The unnamed attackers apparently found a flaw in a web application that housed certain guest reservation data, but that information did not include payment or bank details.

"Upon discovering the incident, we immediately took the application offline and revoked the unauthorized access," Ryan told The Register in a written statement.

"We have engaged leading external cybersecurity experts to support our incident response efforts and to assist with the further strengthening of existing safeguards."

Ryan also urged its customers to be “extra vigilant” when viewing any unexpected or suspicious communications about hotel stays.

“If you receive a suspicious communication such as an unexpected email, text, WhatsApp message, or telephone call that asks for payment, codes, logins, or 'verification,' even if they reference a BWH Hotels property or an upcoming reservation, do not engage. Navigate to sites directly rather than clicking links,” he stressed.

BWH Hotels is a global hotel group that serves as the parent organization for Best Western Hotels & Resorts, WorldHotels, and SureStay Hotels. It operates roughly 4,300 hotels across more than 100 countries, and earns more than $8.5 billion annually.

Best antivirus software header
The best antivirus for all budgets

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

Google logo on a black background next to text reading 'Click to follow TechRadar'

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds.

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.