•Web application vulnerability enabled unauthorised access to reservation systems from late 2025 to April 2026
•Guest booking metadata including stay dates and hotel locations enables highly personalised phishing attacks
The fact
Best Western Hotels has confirmed that an unauthorised third party accessed its booking and reservation systems through a web application vulnerability. The intrusion persisted for several months between late 2025 and April 2026. Exposed data includes guest names, contact details and reservation information such as hotel locations and stay dates. Payment card and core financial data were not stored on the affected systems.
The assessment
The breach reflects a growing travel-sector pattern where reservation metadata is more valuable than financial records. Attackers can craft convincing phishing messages impersonating hotels using accurate booking details, increasing fraud success rates. The case aligns with similar recent incidents across online travel platforms, pointing to systemic exposure in booking infrastructure rather than an isolated corporate failure. For infrastructure teams, it highlights how web application vulnerabilities remain the primary attack vector across hospitality IT stacks.
What to watch
Whether Best Western discloses the specific entry vector and expands the scope of affected guests, and whether regulators connect this breach to wider compromises across the hotel booking ecosystem.
Also read: BT wins telecom infrastructure role for Euro 2028
Also read: Anthropic takes full SpaceX Memphis data centre capacity
