BWH Hotels — 181-day unauthorised access to guest-reservation web application

Six EU brands (Best Western, WorldHotels, Sure Hotels and three sub-brands) in scope; 181-day dwell time indicates absent application-tier telemetry on the affected reservation web application. EU regulatory scope: GDPR Article 33 / 34 obligations for the six EU-brand reservation systems holding EU PII. The defender's learning: audit which guest-facing / citizen-facing web applications have no structured access-event telemetry into the SIEM (daily 2026-05-13).