I've started to assume that any non-chain hotel is compromised after losing $2k to hackers that completely owned the hotel's email system. Thankfully DMARC made it irrefutable that it was their system at fault and they assumed liability. BEC is shockingly common and difficult to detect until it's too late.
Not just BEC, at multiple non-chains I have found keyloggers, card stealers and everything in between. I refuse to use anything but apple pay on an actual payment terminal (or a 3P booker that passes on a virtual card) and no ID scans or copies.