Hilton agrees to $700,000 settlement over data breaches

The hotel chain's data breaches exposed hundreds of thousands of customer credit card numbers.
Written by Charlie Osborne, Contributing Writer

The Hilton hotel chain has agreed to pay $700,000 to settle a claim against the company related to two separate data breaches.

On Tuesday, Attorney General Eric Schneiderman said that the Hilton Domestic Operating Company, formerly known as Hilton Worldwide, will pay $700,000 in recompense for failing in its duty -- not simply by having poor security in the first place which allowed the data breaches to occur, but for then leaving customers in the dark.

The US investigation into the breaches, conducted by law enforcement in New York and Vermont, analyzed two security incidents which took place separately in 2015.

Investigators concluded that "Hilton did not provide consumers with timely notice and did not maintain reasonable data security," according to the Attorney General's office.

Hilton also did not comply with a number of Payment Card Industry Data Security Standard (PCI DSS) requirements which are necessary to process credit cards safely.

"Businesses have a duty to notify consumers in the event of a breach and protect their personal information as securely as possible," said Schneiderman. "Lax security practices like those we uncovered at Hilton put New Yorkers' credit card information and other personal data at serious risk. My office will continue to hold businesses accountable for protecting their customers' personal information."

The first data breach was discovered on February 10, 2015. in which malware that targeted credit card data was found on one of the hotel's systems. Forensics revealed that information had been potentially passed from the hotel chain's network to a threat actor's system between November 18 and December 5, 2014. However, no evidence was ever found.

The second incident was stumbled upon on July 10 in the same year, and it was found a fresh wave of credit card information-stealing malware.

Payment card data was potentially exposed from April 21, 2015, through July 27, 2015, and at least 363,952 credit card numbers had been stolen by attackers.

Hilton's problems did not end there. It was nine months later that the company admitted to the first breach and this delay, in which information may have been used to impact victims in ways including identity theft, is not acceptable.

"Hilton did not provide notice to consumers in the most expedient time possible and without unreasonable delay," investigators said.

The company also violated New York laws by representing that customer information would be kept safe -- and failing to keep this promise of reasonable data security.

The settlement now requires Hilton to provide "immediate" notice of customers affected by a data breach, and the company must also create a security program in which internal security audits take place, safeguard against another recurrence are put in place, and an employee is placed in charge of the program.

However, consumers cannot expect to receive any of the settlement. Instead, New York will be given $400,000, and Vermont the remainder.

Hilton is only one of many hotel chains being targeted for the valuable customer data they hold and process. In April, President Donald Trump's hotel chain, The Trump Hotel Collection, suffered the second of two data breaches in this year alone.

The 10 step guide to using Tor to protect your privacy

Previous and related coverage

    Trump hotel chain suffers fresh data breach

    The string of hotels is reportedly dealing with a new data breach of credit card systems, the second incident in less than a year.

    Equifax ex-chief admits responsibility 'starts at the top' for devastating data breach

    Former Equifax CEO Richard Smith says the data breach shouldn't have happened on his watch.

    InterContinental Hotels Group admits data breach

    IHG says that payment card systems at 12 hotels are involved in the security incident.

      Editorial standards