BWH Hotels (Best Western / WorldHotels / Sure Hotels) — 181-day unauthorised access to guest reservation system

2026-05-13: BWH Hotels disclosed approximately 190-day unauthorised access (October 2025–April 2026) to a web application handling guest reservation data. Affected data includes names, email addresses, and booking details; BWH confirmed no payment or financial information was exposed. The access duration (~6 months) demonstrates the chronic detection-gap problem in hospitality PMS and web-booking systems. No named attacker group; root cause attributed to a web application vulnerability. European guests in scope given BWH's EU hotel portfolio.