Hospitality

BWH Hotels (Best Western, WorldHotels, Sure Hotels) 181-day unauthorised access to a guest-reservation web application (daily 2026-05-13), six EU brands in scope. The 181-day dwell time is the operational lesson: a web-application access vector that escapes detection for half a year indicates absent application-tier telemetry — the right SOC-management response is to audit which guest / customer-facing web applications have no structured access-event telemetry feeding into the SIEM. EU regulatory scope: any of the six EU-brand reservation systems holding EU PII triggers GDPR Article 33 / 34 obligations and likely informs CEF 2026 enforcement attention (see Policy section below).