I have not seen one of these that wasn't a compromised hotel email or booking account. I have had to "help" a hotel get malware/RATs off their system more than a dozen times as a _guest_
I've started to assume that any non-chain hotel is compromised after losing $2k to hackers that completely owned the hotel's email system. Thankfully DMARC made it irrefutable that it was their system at fault and they assumed liability. BEC is shockingly common and difficult to detect until it's too late.
Not just BEC, at multiple non-chains I have found keyloggers, card stealers and everything in between. I refuse to use anything but apple pay on an actual payment terminal (or a 3P booker that passes on a virtual card) and no ID scans or copies.
TBH I can't imagine the trust of letting a guest access their booking computer handling cards and given the admin password for UAC particularly helped their case here ;-;