BWH Hotels (Best Western / WorldHotels / Sure Hotels) — 181-day dwell in guest-reservation web app, EEA guests in scope

More than 100 hotels in the Netherlands plus properties in Belgium and Ireland had guest reservation records (names, contact details, arrival/departure dates) exposed through a shared booking / channel-management / property-management SaaS layer rather than any single hotel's own systems (DutchNews.nl, 2026-06-03 · Techzine EU, 2026-06-03). Hospecs, coordinating the response, attributes the root cause to the upstream provider; the Dutch DPA (Autoriteit Persoonsgegevens) has opened an investigation and GDPR Art. 33/34 clocks are running for each hotel as an independent controller. Criminals are already sending contextually accurate "confirm and pay for your reservation" phishing referencing real upcoming stays. Defender takeaway: a textbook upstream-SaaS supply-chain breach where every downstream customer carries controller liability with zero visibility into the compromise — hunt for anomalous bulk-read API calls against reservation endpoints and treat reservation-context phishing as a known follow-on.

BWH Hotels (Best Western, WorldHotels, Sure Hotels) 181-day unauthorised access to a guest-reservation web application (daily 2026-05-13), six EU brands in scope. The 181-day dwell time is the operational lesson: a web-application access vector that escapes detection for half a year indicates absent application-tier telemetry — the right SOC-management response is to audit which guest / customer-facing web applications have no structured access-event telemetry feeding into the SIEM. EU regulatory scope: any of the six EU-brand reservation systems holding EU PII triggers GDPR Article 33 / 34 obligations and likely informs CEF 2026 enforcement attention (see Policy section below).

Six EU brands (Best Western, WorldHotels, Sure Hotels and three sub-brands) in scope; 181-day dwell time indicates absent application-tier telemetry on the affected reservation web application. EU regulatory scope: GDPR Article 33 / 34 obligations for the six EU-brand reservation systems holding EU PII. The defender's learning: audit which guest-facing / citizen-facing web applications have no structured access-event telemetry into the SIEM (daily 2026-05-13).

BWH Hotels — the parent operating Best Western Hotels & Resorts, WorldHotels and Sure Hotels — disclosed that an unauthorised third party had access to a guest-reservation web application from 2025-10-14 to 2026-04-22, a 181-day dwell, before detection on 2026-04-22 prompted BWH to take the affected application offline (The Register, 2026-05-11; SecurityWeek, 2026-05-12). Disclosed data fields: guest names, email addresses, phone numbers, home addresses, reservation numbers, dates of stay and special requests; payment / financial data is stated as unaffected. BWH Hotels operates properties across multiple EEA jurisdictions, so EEA-resident guest data is in scope; the company has not yet published a per-country DPA notification list, and the cited disclosures do not enumerate per-country exposure. No attribution; no extortion demand reported.

Defender takeaway: The pattern — third-party web application held attacker access for 181 days before discovery — fits the IAB / data-theft tradecraft we have been seeing repeatedly against EU SaaS estates: the asset is a single application sitting outside the corporate SOC's primary telemetry, with credentials likely harvested via infostealer or vishing of a contractor account. Detection concepts: instrument every customer-facing reservation / CRM / loyalty SaaS with download-volume alerting at the API tier (mapped to T1530 Data from Cloud Storage Object and T1213.003 Data from Information Repositories: Code Repositories-equivalent for SaaS DBs); push CASB DLP policies that flag bulk export of PII fields by any non-batch service account; require step-up auth on any session exporting more than N records per hour. Public-sector implication: government staff travelling on official duty and using BWH-brand properties had itinerary + contact data exposed; review whether any travel-booking integrations route through this application and, if so, treat the in-scope passport-data fields as compromised.