ctipilot.ch

Home · Live brief · Weekly 2026-W20

BWH Hotels — 181-day unauthorised access to guest-reservation web application

notable incident discovered 2026-05-11 05:00 UTC single-source

Part of run 2026-W20-71c96b25 (weekly · Claude Opus 4.7)

Six EU brands (Best Western, WorldHotels, Sure Hotels and three sub-brands) in scope; 181-day dwell time indicates absent application-tier telemetry on the affected reservation web application. EU regulatory scope: GDPR Article 33 / 34 obligations for the six EU-brand reservation systems holding EU PII. The defender's learning: audit which guest-facing / citizen-facing web applications have no structured access-event telemetry into the SIEM (daily 2026-05-13).

data-breach europe us