Following a responsible disclosure by external IT security researchers, GUBSE AG has closed the reported vulnerabilities.
There was no unauthorised access and no compromise or leakage of personal data, other than within the controlled test environment of the security researchers. All reported vulnerabilities were immediately and fully remediated.
In September 2025, GUBSE AG was alerted by external IT security researchers to potential vulnerabilities in the SIHOT.WEB and SIHOT.GO! modules. After technical verification, the company promptly closed the reported issues, involved its Data Protection Officer, and informed the relevant data protection authority, keeping it continuously updated throughout the process.
A detailed analysis confirmed that no unauthorised third-party access to personal data occurred and that no information outside the controlled testing environment was exposed.
At no point was the integrity or confidentiality of end-customer data compromised by any external party. Access took place solely within the framework of controlled tests conducted by the reporting researchers, who are legally obliged to permanently delete all data collected during the investigation. There was never a general “unprotected” state of the systems. Identifying the vulnerabilities required advanced technical knowledge and specific protocol expertise.
Even prior to receiving the researchers’ notice, the company’s IT infrastructure – particularly the SIHOT.WEB module – had been reviewed by an independent external auditor, who found no security-related concerns. In addition, the software of GUBSE AG undergoes regular external penetration testing, varying in frequency and scope, to ensure the continuous effectiveness of its security mechanisms.
“The security of our customers and their guests is our highest priority and is firmly embedded in our corporate values,” said Carsten Wernet, CEO of GUBSE AG. His fellow board member Jörg Berger added: “We appreciate the researchers’ responsible disclosure. Thanks to the swift response of our teams, we were able to close the vulnerabilities immediately and further strengthen our security architecture.”
GUBSE AG’s Information Security Officer (ISO) has overseen the analysis and implementation of all measures from the outset. Based on the insights gained, internal security processes are now being systematically expanded and refined.
The company is also advancing the development of a transparent security policy to ensure even faster, more structured responses to comparable situations in future – and to make these measures more visible externally.
Since the beginning of the second half of 2025, GUBSE AG has been preparing for ISO 27001 certification. This international standard sets out strict requirements for information security management systems and represents another consistent step in securing technical, organisational, and procedural standards at the highest level. With these measures, GUBSE AG reinforces its commitment to continuously improving system security and strengthening the long-term trust of its customers and partners.
About SIHOT:
SIHOT (www.sihot.com) is one of the leading, privately-held modular hotel management software systems designed for leisure resorts, hotel chains, mice hotels, camping and hostels. The SIHOT hotel management platform built for hoteliers covers all operational processes with full customisation, offering a highly qualitative and complete property management solution. Established in 1986, SIHOT Group – including hardware solutions provider Addipos – employs around 250 people at 11 global locations with SIHOT used in around 3,500 top hotels worldwide. Among SIHOT’s global customers include Accor, Best Western Hotels & Resorts, Motel One, Wyndham Hotels & Resorts and Meininger Hotels.