Question 1

What happened?

Accepted Answer

In March 2026, a temporary external data security incident occurred on the hotel booking and membership website hrewards.com. As a result of an external access attempt, personal data relating to certain customers and H Rewards members was temporarily accessible.

Question 2

What data was accessible?

Accepted Answer

Depending on the individual record, the data that was temporarily accessible included name, contact details, date of birth, address information and H Rewards membership number.

Importantly, passwords, booking details, and payment information were not accessible.

Question 3

Has the incident been resolved?

Accepted Answer

Yes. The incident was detected at an early stage, contained immediately and has been fully resolved.

Question 4

Was the incident investigated?

Accepted Answer

Yes. The forensic investigation has been completed.

Question 5

Was the data copied or only viewed?

Accepted Answer

The forensic investigation clearly which date may have been temporarily accessible. However, it cannot be determined in each individual case whether the data was only viewed or also copied.

What is confirmed is that passwords, booking details, and payment information were not accessible.

Question 6

Were the authorities informed?

Accepted Answer

Yes. The competent data protection supervisory authorities were informed in accordance with the applicable legal requirements.

Question 7

Were affected individuals informed?

Accepted Answer

Yes. Affected individuals were informed directly wherever possible. In addition, the incident has been communicated publicly.

Question 8

Why is the company communicating publicly about this?

Accepted Answer

We are committed to transparency and fulfilling our legal obligations. As not all records include an email address, the incident is also being communicated publicly.

Question 9

What action has the company taken?

Accepted Answer

The identified vulnerability was closed immediately. In addition, a forensic investigation was carried out, further security measures have been implemented, the competent authorities were informed and affected individuals were contacted.

Question 10

What does this mean for me?

Accepted Answer

Based on our current assessment, there is no indication that sensitive data has been affected or misused. This incident was limited in scope and has been resolved. We are informing you as a precaution and to ensure transparency.

Question 11

What should affected individuals do now?

Accepted Answer

Affected or potentially affected individuals should use the online Self-Check for Data Security form provided and remain particularly vigilant in relation to unexpected messages, emails or telephone calls.

Question 12

When will I receive a response to my request?

Accepted Answer

We will process your request as soon as possible in accordance with the applicable statutory deadlines.

Question 13

Why are you referring people to an online form rather than a hotline?

Accepted Answer

Checks to determine whether a specific record was affected can only be carried out via the online Self-Check for Data Security form. This ensures a data protection-compliant process.

Question 14

Can I also complete the check by telephone?

Accepted Answer

No. We kindly ask for your understanding that the Self-Check for Data Security can only be completed online. This ensures a data protection-compliant process.

Question 15

What should affected individuals be particularly aware of?

Accepted Answer

We recommend that you remain vigilant and observe the following precautions:

Be careful with unexpected emails, messages, or calls.
Do not click on suspicious links and do not share any personal information.
Watch for unusual activity in your accounts.
H Rewards will never ask you to provide your password, payment details, or other sensitive personal information. If you receive such a request, please treat it as suspicious and do not respond.

Question 16

Does the incident affect bookings?

Accepted Answer

No. Existing and future hotel bookings are not affected.

Question 17

Have hotel operations or hotel bookings been affected by the incident?

Accepted Answer

No. The incident has no impact on existing or future hotel bookings. Business operations at all hotels were not and are not affected

Question 18

How can affected individuals check whether their data was affected?

Accepted Answer

This can only be done via the online Self-Check for Data Security form. Checks cannot be carried out by telephone.

Question 19

Which rights do I have with regards to my data?

Accepted Answer

Every data subject has the right, in accordance with Article 15 of the GDPR, to obtain information regarding the processing of personal data relating to him, the right of rectification in accordance with Article 16 GDPR, the right of deletion in accordance with Article 17 GDPR, the right to limit processing in accordance with Article 18 GDPR, the right to object to processing in accordance with Article 21 GDPR and the right of transferability in accordance with Article 20 GDPR. The right of information and the right of deletion are also subject to the restrictions pursuant to Sections 34 and 35 of the BDSG.

Question 20

Who should I contact if I have any questions or concerns?

Accepted Answer

If you have any further questions or comments, you can contact us via dataprivacy.rfi@hrewards.com.

In addition, you can contact the Data Protection Officer:

Steigenberger Hotels GmbH: TÜV Informationstechnik GmbH, Am TÜV 1, 45307 Essen, datenschutz@deutschehospitality.com

H Rewards Loyalty Program, H Rewards Pte. Ltd.: Wodianka privacy legal GmbH, Dockenhudener Straße 12a, 22587 Hamburg, eu-representative@hrewards.com

Question 21

When will I receive a response to my request?

Accepted Answer

We will process your request as soon as possible in accordance with the applicable statutory deadlines.

Question 22

How can I cancel my H Rewards Membership?

Accepted Answer

You can cancel your H Rewards membership at any time by selecting the “Cancel membership” option in your account under the “Profile” section. Upon cancellation, all redeemable H Rewards points will expire immediately. Your personal data will be deleted in accordance with applicable legal requirements.

Question 23

How can I request the deletion of my data?

Accepted Answer

Please click “here” and send us a message with your full first and last name and address details to request the deletion of your data. Please note: Your data will be deleted automatically at the earliest possible opportunity, in compliance with applicable legal requirements. You will not receive any further notification.

H Rewards Data Security Incident Update

What happened?

What has been done?

How can I check if my data was affected?

What consequences could arise from the incident?

What should I be aware of?

What impact does this have on bookings and hotel operations?

What happened to the data?

Ongoing commitment

Who can I contact if I have questions or concerns?

Frequently Asked Questions