Hotel guests have been urged to remain vigilant for convincing scam messages following a data breach at a major hotel chain. Personal details of individuals with bookings at one of the chain's properties were compromised over a six-month period.
Breach Details and Immediate Actions
BWH Hotels, the parent company behind WorldHotels, Best Western Hotels & Resorts, and Sure Hotels, alerted customers to the breach via email. The company stated that "certain guests' names, email addresses, telephone numbers, and/or home addresses, along with other reservation details" had been accessed between October 14, 2025 and April 22, 2026. It added: "Importantly, payment and other financial information was not stored in the affected system and therefore was not accessed."
The company confirmed it had taken measures to halt the unauthorised access and was implementing additional security protocols to prevent future breaches. Affected customers were advised to take precautions to ensure fraudsters could not exploit them, with warnings to be particularly wary of unsolicited emails, texts, WhatsApp messages or phone calls relating to hotel reservations.
Expert Insights on Data Exploitation
Privacy experts have now cautioned that the real concern lies not just in what was stolen, but in how that data could be used. Hotel booking information can lend credibility to subsequent scams, as criminals may be able to cite genuine stays, dates, locations or reservation numbers.
Peter Nguyen, a privacy expert from Protect My Data, warns that travellers should not brush off this type of breach simply because payment details were not compromised. "A hotel reservation contains more useful information than people realise. A scammer does not always need your card number to target you. If they know your name, phone number, hotel, stay dates and booking reference, they can make a fake message look extremely convincing. That is the risk with travel data. It gives criminals context. Instead of sending a vague scam, they can contact you with details that feel personal and accurate."
Nguyen advises guests to exercise particular vigilance regarding any unexpected communication claiming there is an issue with a booking, payment, refund or reservation. He warned that a fraudster could pose as a representative from the hotel, a booking platform, customer support team or payment department. The message may allege that a card requires reverification, a stay faces cancellation, a refund is pending, or that additional information is required prior to arrival. He said: "The most dangerous message is one that sounds helpful. It might say your booking needs confirming, your payment failed, or your refund is ready. Because it references a real hotel stay, people are more likely to click. If the message asks for payment, codes, logins or verification, do not engage through that message. Go directly to the hotel or booking platform yourself."
Nguyen highlights that WhatsApp and SMS messages pose a particularly heightened risk due to their immediacy. "A text or WhatsApp message creates urgency. It feels like someone is dealing with your booking right now. That pressure makes people act faster than they would with an email."
Why Reservation Data Holds Such Value
While many individuals are primarily concerned about card details in a data breach, Nguyen maintains that contact and booking information can still pose significant danger. He explained: "Names, phone numbers and email addresses are the starting point for phishing. Add reservation details and the scam becomes much more targeted. A criminal could send a message saying, 'Your stay at this property on this date needs confirmation.' That feels completely different from a generic scam email because it contains something real."
He noted that postal addresses can also lend scams greater legitimacy. He explained: "If a scammer has your address, they can make a fake message feel more official. They might use it in a fake invoice, refund notice, complaint response or identity check. Special requests may also reveal details guests did not expect to become part of a security issue. People sometimes include personal information in hotel requests, such as accessibility needs, arrival times, family arrangements or reasons for travel. Even small details can help scammers tailor their approach."
What Guests Should Do Now
Nguyen says anyone who has stayed with, or booked through, a BWH Hotels property during the affected period should remain vigilant, but not panic. He added: "The first step is awareness. If you receive a message about a Best Western, WorldHotels or SureStay booking, slow down and verify it independently."
He advised guests to refrain from clicking links in unsolicited messages. "Open the official hotel website yourself, use the original booking confirmation, or contact the property through a trusted number. Do not use a number or link sent in a suspicious message."
Guests should equally exercise caution if asked to confirm personal details, he warned. "A genuine hotel may need basic details to find your booking, but they should not ask for banking codes, account passwords or card security codes through an unexpected message."
Should anyone have already clicked a suspicious link or divulged card details, Nguyen urges them to contact their bank without delay. He warned: "Speed matters. If you entered payment details, call your bank straight away. If you entered a password, change it immediately, especially if you use it anywhere else."
He also advises safeguarding email accounts, as email is frequently the channel scammers exploit to reset other accounts. "Your email account is the front door to much of your digital life. Use a strong, unique password and switch on two-factor authentication."
Why This Warning Matters for Summer Travel
The breach arrives as numerous holidaymakers are arranging summer accommodation, weekend getaways and spontaneous trips. Nguyen suggests this makes hotel-related scams particularly hazardous. "Travel season gives scammers a huge advantage. People are expecting hotel messages, payment reminders and booking updates. That makes fake messages easier to hide among real ones."
He suggests guests ought to be especially cautious of messages arriving close to their check-in date. "A message sent shortly before a stay can create panic. If it says your room will be cancelled unless you act now, that is exactly when you need to stop."
The most reliable approach, Nguyen maintains, is to regard unexpected booking messages as suspicious until confirmed otherwise. He said: "If a message knows your hotel and dates, that does not automatically make it real. It may simply mean the scammer has booking data. Do not let accurate details rush you into clicking. Verify through the official route every time."
Official Communication from BWH Hotels
In its email, signed by Bill Ryan, Chief Technology Officer of the hotel chain and sent last month, it said: "BWH Hotels, the parent company for WorldHotels, Best Western Hotels & Resorts, and Sure Hotels, takes the privacy and security of our guests’ personal information very seriously. We are writing to let you know that on April 22, 2026, we identified unauthorised activity in one of our web applications that houses certain guest reservation data. We have learned that certain guests’ names, email addresses, telephone numbers, and/or home addresses, along with other reservation details (e.g., reservation numbers, dates of stay, and any special requests) for reservations in our system were accessed by an unauthorised third‑party between October 14, 2025 and April 22, 2026, including yours. Importantly, payment and other financial information was not stored in the affected system and therefore was not accessed. Upon discovering the incident, we immediately took the application offline and revoked the unauthorised access. We have engaged leading external cybersecurity experts to support our incident response efforts and to assist with the further strengthening of existing safeguards."
The email continued: "We advise guests to be extra vigilant when viewing any unexpected or suspicious communications about hotel stays. If you receive a suspicious communication such as an unexpected email, text, WhatsApp message, or telephone call that asks for payment, codes, logins, or ‘verification,’ even if they reference a BWH Hotels property or an upcoming reservation, do not engage. Navigate to sites directly rather than clicking links. As part of protecting your personal information and to prevent payments to fraudulent parties, here are some precautions you can take: Stay alert for suspicious sender addresses, urgent or unexpected unsolicited requests, and strange links, especially any unexpected request for payment or personal information. Treat any suspicious request with caution. If you have a question regarding a suspicious request, please contact our customer service team. Scammers may create webpages that closely resemble legitimate hotel booking pages. Always review the web address before entering payment details. If a page looks unexpected or unfamiliar, stop and verify it with our customer service team before proceeding. If you entered or shared any payment (credit card) information in response to a scam, please immediately report it to your financial institution and follow security steps they recommend. If you have any questions, please contact BWH Hotels' data protection office at dpo@bwh.com."
