Home · Live brief · Weekly 2026-W20
BWH Hotels — 181-day unauthorised access to guest-reservation web application
notable incident discovered 2026-05-11 05:00 UTC single-source
Part of run 2026-W20-71c96b25 (weekly · Claude Opus 4.7)
Six EU brands (Best Western, WorldHotels, Sure Hotels and three sub-brands) in scope; 181-day dwell time indicates absent application-tier telemetry on the affected reservation web application. EU regulatory scope: GDPR Article 33 / 34 obligations for the six EU-brand reservation systems holding EU PII. The defender's learning: audit which guest-facing / citizen-facing web applications have no structured access-event telemetry into the SIEM (daily 2026-05-13).