Hilton settles for $700,000 after data breach
Hotelier commits to security program and data checks.
Hilton, one of the largest hospitality companies in the world, reached a $700,000 settlement agreement with the New York Attorney General after an investigation into consumer notifications of two separate data breaches in 2015.
New York Attorney General Eric T. Schneiderman, in collaboration with the Vermont Attorney General’s office, investigated Hilton Worldwide after data security incidents exposed more than 350,000 credit card numbers.
Hilton reportedly did not provide consumers with timely notice and did not maintain reasonable data security.
“Businesses have a duty to notify consumers in the event of a breach and protect their personal information as securely as possible,” Schneiderman said.
In February of 2015, Hilton became aware that a system used in the United Kingdom was communicating with a suspicious computer outside Hilton’s own network. A forensic investigation revealed credit card targeting malware that potentially exposed cardholder information between November 18 and December 5, 2014.
In July the same year, Hilton learned of another breach through an intrusion detection system. An investigation discovered malware designed to obtain credit card information. Payment card data was potentially exposed between April 21 and July 27, 2015. Just under 364,000 credit card numbers may have been removed.
The Attorney General said the hotel chain did not inform affected customers until November 24, 2015. This was more than nine months after the first intrusion was discovered. Hilton alleged there was no evidence of removal of cardholder data, although the forensic investigator was unable to review all relevant system logs.
The investigation also found Hilton was not in compliance with certain Payment Card Industry Data Security Standard requirements. These conditions ensure cardholder data is processed in a secure environment.
The settlement requires Hilton to pay $700,000, provide immediate notice to consumers affected by a breach, maintain a comprehensive information security program and conduct relevant data security assessments.
Hilton Worldwide’s portfolio comprises 14 brands, more than 4,900 properties and 796,000 rooms across 104 countries and territories. The company owns, manages, or franchises brands including Hilton Hotels & Resorts, Waldorf Astoria Hotels & Resorts, Conrad Hotels & Resorts, DoubleTree by Hilton, Embassy Suites by Hilton, Hilton Garden Inn, Homewood Suites by Hilton, and Hilton Grand Vacations.
Earlier this month it was revealed that every single Yahoo account that existed in August 2013 was affected by what has now become the largest ever recorded data breach in history, affecting around one billion users.
Additionally, beleaguered credit agency Equifax announced in October that an additional 2.5 million consumers’ personal information was breached during its previously announced global cybersecurity hack.