BWH Hotels confirms six-month guest data exposure

The incident highlights the growing cybersecurity risks facing hotel reservation systems and guest communication channels

BWH Hotels has disclosed that hackers had access to parts of its reservation infrastructure for more than six months before the intrusion was detected in April 2026. The compromised system reportedly contained guest reservation information, including names, email addresses, phone numbers, and booking details. Although the company stated that payment data was not stored in the affected application, the incident highlights the increasing cybersecurity pressure facing hotel groups and their technology ecosystems. For hoteliers, the breach is another reminder that guest trust, brand reputation, and operational resilience are now closely tied to cybersecurity preparedness.

Key takeaways

• Reservation systems are becoming a major attack surface: The breach involved a web application containing guest reservation data, highlighting how booking and CRM-related systems are increasingly attractive targets for attackers.
• Guest communication channels may now carry higher risk: Access to names, emails, phone numbers, and reservation details could enable highly convincing phishing campaigns impersonating hotels, loyalty programs, or customer support teams.
• Cybersecurity is now a guest trust issue: Even when payment data is not compromised, prolonged unauthorized access to guest information can still damage brand confidence and customer relationships.
• Third-party and legacy systems remain a concern: The incident reinforces the need for hotel groups and independent properties to continuously review the security posture of connected applications, integrations, and vendor ecosystems.
• Detection speed matters as much as prevention: Attackers reportedly maintained access for over six months, underlining the importance of monitoring, anomaly detection, and incident response capabilities — not just perimeter security.
• Operational disruption can extend beyond IT: Taking systems offline during investigations can affect reservations, guest servicing, communications, and internal workflows, making cybersecurity an operational continuity issue for hotels.
• Hospitality continues to attract cybercriminals: Hotels remain valuable targets because they handle large volumes of personal traveler data, loyalty information, and reservation activity across distributed systems and properties.
• The industry may face growing regulatory scrutiny: As cyber incidents in hospitality become more frequent, hotel groups may encounter increased pressure around disclosure obligations, data governance, and cybersecurity accountability.

Source: SecurityWeek

Read also: Booking.com data breach exposes guest booking information

Enjoying this analysis? Hospitality.today delivers daily insights on hotel distribution, AI trends, and travel commerce — straight to your inbox. Subscribe for free at Hospitality.today →