Hilton hotels has reached a $700,000 joint settlement with New York and Vermont for a pair of data breaches that were discovered in 2015, including one that exposed more than 350,000 credit card numbers.
A press release from New York Attorney General Eric Schneiderman states that Hilton Domestic Operating Company did not practice reasonable data security at the time of the breaches, and failed to provide consumers with timely notification, following the incidents.
New York will receive $400,000 from the settlement, with the remainder going to Vermont, whose AG’s office investigated the breaches alongside Schneiderman’s office.
As part of the settlement, Hilton has agreed to comply with New York State General Business Law 899-aa, which requires companies to provide notice to affected New York residents and the Attorney General’s office when a personal without valid authorization acquires private information. The company has also agreed to design and maintain a program for securing consumer cardholder data, as well as obtain a written assessment of its compliance with Payment Card Industry (PCI) standards.
“Businesses have a duty to notify consumers in the event of a breach and protect their personal information as securely as possible,” said Schneiderman in his release. “Lax security practices like those we uncovered at Hilton put New Yorkers’ credit card information and other personal data at serious risk.”
The first of the two breaches was discovered in February 2015, after Hilton learned a system based in the UK had been infected with malware that may have exposed payment card data in November and December of 2014. From Apr. 21, 2015 through July 27, 2015, a second breach involving point-of-sale (POS) malware prompted a forensic investigation, which determined that 363,952 credit card numbers had been aggregated for removal by attackers. Hilton did not reveal its findings until Nov. 24, the release states.