Hilton settles for $700,000 after data breach | finder.com

Hilton settles for $700,000 after data breach

Peter Terlato 31 October 2017

Hotelier commits to security program and data checks.

Hilton, one of the largest hospitality companies in the world, reached a $700,000 settlement agreement with the New York Attorney General after an investigation into consumer notifications of two separate data breaches in 2015.

New York Attorney General Eric T. Schneiderman, in collaboration with the Vermont Attorney General’s office, investigated Hilton Worldwide after data security incidents exposed more than 350,000 credit card numbers.

Hilton reportedly did not provide consumers with timely notice and did not maintain reasonable data security.

“Businesses have a duty to notify consumers in the event of a breach and protect their personal information as securely as possible,” Schneiderman said.

In February of 2015, Hilton became aware that a system used in the United Kingdom was communicating with a suspicious computer outside Hilton’s own network. A forensic investigation revealed credit card targeting malware that potentially exposed cardholder information between November 18 and December 5, 2014.

In July the same year, Hilton learned of another breach through an intrusion detection system. An investigation discovered malware designed to obtain credit card information. Payment card data was potentially exposed between April 21 and July 27, 2015. Just under 364,000 credit card numbers may have been removed.

The Attorney General said the hotel chain did not inform affected customers until November 24, 2015. This was more than nine months after the first intrusion was discovered. Hilton alleged there was no evidence of removal of cardholder data, although the forensic investigator was unable to review all relevant system logs.

The investigation also found Hilton was not in compliance with certain Payment Card Industry Data Security Standard requirements. These conditions ensure cardholder data is processed in a secure environment.

The settlement requires Hilton to pay $700,000, provide immediate notice to consumers affected by a breach, maintain a comprehensive information security program and conduct relevant data security assessments.

Hilton Worldwide’s portfolio comprises 14 brands, more than 4,900 properties and 796,000 rooms across 104 countries and territories. The company owns, manages, or franchises brands including Hilton Hotels & Resorts, Waldorf Astoria Hotels & Resorts, Conrad Hotels & Resorts, DoubleTree by Hilton, Embassy Suites by Hilton, Hilton Garden Inn, Homewood Suites by Hilton, and Hilton Grand Vacations.

Earlier this month it was revealed that every single Yahoo account that existed in August 2013 was affected by what has now become the largest ever recorded data breach in history, affecting around one billion users.

Additionally, beleaguered credit agency Equifax announced in October that an additional 2.5 million consumers’ personal information was breached during its previously announced global cybersecurity hack.

Latest news headlines

Picture: Shutterstock

Ask an Expert

You are about to post a question on finder.com:

  • Do not enter personal information (eg. surname, phone number, bank details) as your question will be made public
  • finder.com is a financial comparison and information service, not a bank or product provider
  • We cannot provide you with personal advice or recommendations
  • Your answer might already be waiting – check previous questions below to see if yours has already been asked

Finder only provides general advice and factual information, so consider your own circumstances, or seek advice before you decide to act on our content. By submitting a question, you're accepting our Terms and Conditions and Privacy Policy.
Go to site