ctipilot.ch

BWH Hotels (Best Western / WorldHotels / Sure Hotels) — 181-day dwell in guest-reservation web app, EEA guests in scope

incident · incident:bwh-hotels-breach-2026

Coverage timeline
1
first 2026-05-13 → last 2026-05-13
Briefs
1
1 distinct
Sources cited
2
2 hosts
Sections touched
1
active_threats
Co-occurring entities
2
see Related entities below

Story timeline

  1. 2026-05-13CTI Daily Brief — 2026-05-13
    active_threatsInitial disclosure 2026-05-11; six-month dwell from 2025-10-14 to 2026-04-22 in third-party web application; EEA properties in scope.

Where this entity is cited

  • active_threats1

Source distribution

  • securityweek.com1 (50%)
  • theregister.com1 (50%)

Related entities

All cited sources (2)

Items in briefs about BWH Hotels (Best Western / WorldHotels / Sure Hotels) — 181-day dwell in guest-reservation web app, EEA guests in scope (1)

BWH Hotels (Best Western, WorldHotels, Sure Hotels) — 181-day unauthorised access to a guest-reservation web application, six EU brands in scope

From CTI Daily Brief — 2026-05-13 · published 2026-05-13 · view item permalink →

BWH Hotels — the parent operating Best Western Hotels & Resorts, WorldHotels and Sure Hotels — disclosed that an unauthorised third party had access to a guest-reservation web application from 2025-10-14 to 2026-04-22, a 181-day dwell, before detection on 2026-04-22 prompted BWH to take the affected application offline (The Register, 2026-05-11; SecurityWeek, 2026-05-12). Disclosed data fields: guest names, email addresses, phone numbers, home addresses, reservation numbers, dates of stay and special requests; payment / financial data is stated as unaffected. BWH Hotels operates properties across multiple EEA jurisdictions, so EEA-resident guest data is in scope; the company has not yet published a per-country DPA notification list, and the cited disclosures do not enumerate per-country exposure. No attribution; no extortion demand reported.

Defender takeaway: The pattern — third-party web application held attacker access for 181 days before discovery — fits the IAB / data-theft tradecraft we have been seeing repeatedly against EU SaaS estates: the asset is a single application sitting outside the corporate SOC's primary telemetry, with credentials likely harvested via infostealer or vishing of a contractor account. Detection concepts: instrument every customer-facing reservation / CRM / loyalty SaaS with download-volume alerting at the API tier (mapped to T1530 Data from Cloud Storage Object and T1213.003 Data from Information Repositories: Code Repositories-equivalent for SaaS DBs); push CASB DLP policies that flag bulk export of PII fields by any non-batch service account; require step-up auth on any session exporting more than N records per hour. Public-sector implication: government staff travelling on official duty and using BWH-brand properties had itinerary + contact data exposed; review whether any travel-booking integrations route through this application and, if so, treat the in-scope passport-data fields as compromised.