Hotel guests have been warned to stay alert for convincing fraudulent messages following a data breach at a major hotel chain. Personal information belonging to individuals with reservations at one of the chain's properties was compromised over a six-month period.
Breach Details
BWH Hotels, the parent company behind WorldHotels, Best Western Hotels & Resorts, and Sure Hotels, notified customers of the breach by email, confirming that "certain guests' names, email addresses, telephone numbers, and/or home addresses, along with other reservation details" had been accessed between October 14, 2025 and April 22, 2026. It added: "Importantly, payment and other financial information was not stored in the affected system and therefore was not accessed."
The firm confirmed it had acted to stop the unauthorised access and was introducing further security measures to guard against future incidents. Those affected were advised to take steps to protect themselves from fraudsters, with particular warnings to be wary of unsolicited emails, texts, WhatsApp messages or phone calls concerning hotel bookings.
Expert Warning
Privacy specialists have now warned that the true concern extends beyond what was taken, to how that information could potentially be exploited. Hotel reservation details can add authenticity to subsequent scams, as criminals may be able to reference genuine stays, dates, locations or booking references.
Peter Nguyen, a privacy expert from Protect My Data, cautions that holidaymakers shouldn't dismiss this kind of breach merely because payment information wasn't exposed. "A hotel reservation contains more useful information than people realise."
"A scammer does not always need your card number to target you. If they know your name, phone number, hotel, stay dates and booking reference, they can make a fake message look extremely convincing."
"That is the risk with travel data. It gives criminals context. Instead of sending a vague scam, they can contact you with details that feel personal and accurate."
Nguyen recommends guests remain especially alert to any unsolicited communications suggesting there's a problem with a booking, payment, refund or reservation. He cautioned that a fraudster might impersonate someone from the hotel, a booking website, customer service team or payments division.
The correspondence may claim that a card needs re-verification, a stay is at risk of cancellation, a refund is awaiting processing, or that further details are needed before check-in. He stated: "The most dangerous message is one that sounds helpful. It might say your booking needs confirming, your payment failed, or your refund is ready. Because it references a real hotel stay, people are more likely to click."
"If the message asks for payment, codes, logins or verification, do not engage through that message. Go directly to the hotel or booking platform yourself."
Nguyen emphasises that WhatsApp and SMS messages present a particularly elevated threat because of their instant nature. "A text or WhatsApp message creates urgency. It feels like someone is dealing with your booking right now. That pressure makes people act faster than they would with an email."
BWH Hotels' own warning has advised customers against replying to suspicious communications requesting payment, codes, logins or verification, even when they reference a BWH Hotels property or an upcoming reservation.
Why Reservation Data Holds Such Value
While many people are chiefly worried about card details in a data breach, Nguyen insists that contact and booking information can still present considerable danger. He explained: "Names, phone numbers and email addresses are the starting point for phishing. Add reservation details and the scam becomes much more targeted."
"A criminal could send a message saying, 'Your stay at this property on this date needs confirmation.' That feels completely different from a generic scam email because it contains something real."
He observed that postal addresses can also make scams appear more credible. He explained: "If a scammer has your address, they can make a fake message feel more official. They might use it in a fake invoice, refund notice, complaint response or identity check."
Special requests might also expose details guests didn't anticipate becoming part of a security concern. "People sometimes include personal information in hotel requests, such as accessibility needs, arrival times, family arrangements or reasons for travel. Even small details can help scammers tailor their approach."
What Guests Should Do Now
Nguyen says anyone who has stayed with, or booked through, a BWH Hotels property during the affected period should remain vigilant, but not panic. He added: "The first step is awareness. If you receive a message about a Best Western, WorldHotels or SureStay booking, slow down and verify it independently."
He advised guests to refrain from clicking links in unsolicited messages. "Open the official hotel website yourself, use the original booking confirmation, or contact the property through a trusted number," he said. "Do not use a number or link sent in a suspicious message."
Guests should equally exercise caution if asked to confirm personal details, he warned. "A genuine hotel may need basic details to find your booking, but they should not ask for banking codes, account passwords or card security codes through an unexpected message."
Should anyone have already clicked a suspicious link or divulged card details, Nguyen urges them to contact their bank without delay. He warned: "Speed matters. If you entered payment details, call your bank straight away. If you entered a password, change it immediately, especially if you use it anywhere else."
He also recommends protecting email accounts, as email is commonly the method fraudsters use to gain access to other accounts. "Your email account is the front door to much of your digital life," he said. "Use a strong, unique password and switch on two-factor authentication."
Why This Warning Matters for Summer Travel
The breach comes at a time when countless holidaymakers are booking summer accommodation, weekend breaks and last-minute trips. Nguyen believes this makes hotel-related scams particularly dangerous.
"Travel season gives scammers a huge advantage. People are expecting hotel messages, payment reminders and booking updates. That makes fake messages easier to hide among real ones."
He advises guests to be especially wary of messages received shortly before their check-in date. "A message sent shortly before a stay can create panic. If it says your room will be cancelled unless you act now, that is exactly when you need to stop."
The most reliable approach, Nguyen insists, is to treat unexpected booking communications with suspicion until verified otherwise. He said: "If a message knows your hotel and dates, that does not automatically make it real. It may simply mean the scammer has booking data. Do not let accurate details rush you into clicking. Verify through the official route every time."
What BWH Said
In its email, signed by Bill Ryan, Chief Technology Officer of the hotel chain and sent last month, it said: "BWH Hotels, the parent company for WorldHotels, Best Western Hotels & Resorts, and Sure Hotels, takes the privacy and security of our guests’ personal information very seriously. We are writing to let you know that on April 22, 2026, we identified unauthorised activity in one of our web applications that houses certain guest reservation data."
"We have learned that certain guests’ names, email addresses, telephone numbers, and/or home addresses, along with other reservation details (e.g., reservation numbers, dates of stay, and any special requests) for reservations in our system were accessed by an unauthorised third‑party between October 14, 2025 and April 22, 2026, including yours. Importantly, payment and other financial information was not stored in the affected system and therefore was not accessed."
"Upon discovering the incident, we immediately took the application offline and revoked the unauthorised access. We have engaged leading external cybersecurity experts to support our incident response efforts and to assist with the further strengthening of existing safeguards."
"We advise guests to be extra vigilant when viewing any unexpected or suspicious communications about hotel stays. If you receive a suspicious communication such as an unexpected email, text, WhatsApp message, or telephone call that asks for payment, codes, logins, or 'verification,' even if they reference a BWH Hotels property or an upcoming reservation, do not engage. Navigate to sites directly rather than clicking links."
As part of protecting your personal information and to prevent payments to fraudulent parties, here are some precautions you can take:
- Stay alert for suspicious sender addresses, urgent or unexpected unsolicited requests, and strange links, especially any unexpected request for payment or personal information. Treat any suspicious request with caution. If you have a question regarding a suspicious request, please contact our customer service team.
- Scammers may create webpages that closely resemble legitimate hotel booking pages. Always review the web address before entering payment details. If a page looks unexpected or unfamiliar, stop and verify it with our customer service team before proceeding.
- If you entered or shared any payment (credit card) information in response to a scam, please immediately report it to your financial institution and follow security steps they recommend.
If you have any questions, please contact BWH Hotels' data protection office at dpo@bwh.com.
