Hilton has reached a $700,000 settlement agreement with two states, New York and Vermont, over two separate data breaches discovered in 2015 that exposed more than 360,000 payment card numbers.
The settlement resolves claims that the hotel chain lacked reasonable data security and was too slow to tell consumers about the intrusions, waiting 9.5 months after learning of the first and more than three months after learning of the second.
“Businesses have a duty to notify consumers in the event of a breach and protect their personal information as securely as possible,” said New York Attorney General Eric Schneiderman. “Lax security practices like those we uncovered at Hilton put New Yorkers’ credit card information and other personal data at serious risk. My office will continue to hold businesses accountable for protecting their customers’ personal information.”
On Feb. 10, 2015, Hilton learned from a computer services provider that a system Hilton utilized in the United Kingdom was communicating with a suspicious computer outside Hilton’s computer network. A forensic investigation revealed credit-card targeting malware that potentially exposed cardholder data between Nov. 18, 2014 and Dec. 5, 2014.
On July 10, 2015, Hilton learned of a second breach through an intrusion detection system. A forensic investigation found further malware designed to steal credit card information. It found that payment card data was potentially exposed from April 21, 2015 through July 27, 2015, as well as evidence of 363,952 credit card numbers aggregated for removal by the attackers.
Hilton did not provide notice until Nov. 24, 2015, more than nine months after the first intrusion was discovered. While Hilton alleged that there was no evidence of removal of the cardholder data, the forensic investigator was not able to review all relevant logs and the intruders used antiforensic tools to hide their tracks.
New York officials say that wasn't good enough, reports Gov Info Security. Under New York state law, any entity that discovers a breach involving individuals' private information must notify the victim as quickly as possible. In the words of the relevant state law: "The disclosure shall be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement."
As part of the settlement, Hilton has promised to disclose future breaches more quickly and to perform regular security tests, among other enhanced safety efforts. New York will receive $400,000 from the settlement, and Vermont will receive $300,000.
"Two years ago, Hilton took action to eradicate unauthorized malware that targeted guest payment card information," Hilton said in a statement. "Hilton is strongly committed to protecting our customers' payment card information and maintaining the integrity of our systems."