Breach, Threat Management, Data Security

Hilton to pay $700,000 in data breach settlement with New York, Vermont

Hilton hotels has reached a $700,000 joint settlement with New York and Vermont for a pair of data breaches that were discovered in 2015, including one that exposed more than 350,000 credit card numbers.

A press release from New York Attorney General Eric Schneiderman states that Hilton Domestic Operating Company did not practice reasonable data security at the time of the breaches, and failed to provide consumers with timely notification, following the incidents.

New York will receive $400,000 from the settlement, with the remainder going to Vermont, whose AG's office investigated the breaches alongside Schneiderman's office.

As part of the settlement, Hilton has agreed to comply with New York State General Business Law 899-aa, which requires companies to provide notice to affected New York residents and the Attorney General's office when a personal without valid authorization acquires private information. The company has also agreed to design and maintain a program for securing consumer cardholder data, as well as obtain a written assessment of its compliance with Payment Card Industry (PCI) standards.

“Businesses have a duty to notify consumers in the event of a breach and protect their personal information as securely as possible,” said Schneiderman in his release. “Lax security practices like those we uncovered at Hilton put New Yorkers' credit card information and other personal data at serious risk."

The first of the two breaches was discovered in February 2015, after Hilton learned a system based in the UK had been infected with malware that may have exposed payment card data in November and December of 2014. From Apr. 21, 2015 through July 27, 2015, a second breach involving point-of-sale (POS) malware prompted a forensic investigation, which determined that 363,952 credit card numbers had been aggregated for removal by attackers. Hilton did not reveal its findings until Nov. 24, the release states.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.