Hilton reaches $700,000 settlement over data breaches

In addition to the Capital Hilton, The Madison Washington DC joins the Washington Hilton as the brand’s third hotel in the city.
As part of the settlement, Hilton has promised to disclose future breaches more quickly and to perform regular security tests.

Hilton has reached a $700,000 settlement agreement with two states, New York and Vermont, over two separate data breaches discovered in 2015 that exposed more than 360,000 payment card numbers.

The settlement resolves claims that the hotel chain lacked reasonable data security and was too slow to tell consumers about the intrusions, waiting 9.5 months after learning of the first and more than three months after learning of the second.

“Businesses have a duty to notify consumers in the event of a breach and protect their personal information as securely as possible,” said New York Attorney General Eric Schneiderman. “Lax security practices like those we uncovered at Hilton put New Yorkers’ credit card information and other personal data at serious risk. My office will continue to hold businesses accountable for protecting their customers’ personal information.”


Like this story? Subscribe to Technology!

Hospitality professionals turn to Technology as their go-to news source for the latest technology products and trends. Sign up today to get news and updates on security systems, in-room entertainment, and more delivered to your inbox and read on the go.

On Feb. 10, 2015, Hilton learned from a computer services provider that a system Hilton utilized in the United Kingdom was communicating with a suspicious computer outside Hilton’s computer network. A forensic investigation revealed credit-card targeting malware that potentially exposed cardholder data between Nov. 18, 2014 and Dec. 5, 2014.

On July 10, 2015, Hilton learned of a second breach through an intrusion detection system. A forensic investigation found further malware designed to steal credit card information. It found that payment card data was potentially exposed from April 21, 2015 through July 27, 2015, as well as evidence of 363,952 credit card numbers aggregated for removal by the attackers. 

Hilton did not provide notice until Nov. 24, 2015, more than nine months after the first intrusion was discovered. While Hilton alleged that there was no evidence of removal of the cardholder data, the forensic investigator was not able to review all relevant logs and the intruders used antiforensic tools to hide their tracks. 

New York officials say that wasn't good enough, reports Gov Info Security. Under New York state law, any entity that discovers a breach involving individuals' private information must notify the victim as quickly as possible. In the words of the relevant state law: "The disclosure shall be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement."

As part of the settlement, Hilton has promised to disclose future breaches more quickly and to perform regular security tests, among other enhanced safety efforts. New York will receive $400,000 from the settlement, and Vermont will receive $300,000. 

"Two years ago, Hilton took action to eradicate unauthorized malware that targeted guest payment card information," Hilton said in a statement. "Hilton is strongly committed to protecting our customers' payment card information and maintaining the integrity of our systems."

Suggested Articles

Expenses are outpacing revenue growth, decreasing profits for hoteliers across Europe.

Target markets in the state of Gujarat include Surat, Baroda and Gujarat International Finance Tec-City.

The one-day event will focus on related hospitality concepts such as hostels, co-living, co-working, student accommodation and serviced apartments.