Photo: Altercari
Hilton Domestic Operating Company Inc. has agreed to pay $700,000 after data security breaches exposed more than 350,000 credit card numbers in two separate breaches in 2015.
The New York Attorney General’s Office investigation, conducted along with the Vermont Attorney General’s Office, showed that Hilton didn’t provide consumers with timely notice and didn’t maintain reasonable data security.
“Businesses have a duty to notify consumers in the event of a breach and protect their personal information as securely as possible,” said New York Attorney General Eric T. Schneiderman. “Lax security practices like those we uncovered at Hilton put New Yorkers’ credit card information and other personal data at serious risk.”
Hilton owns, manages, or franchises brands including Hilton Hotels & Resorts, Waldorf Astoria Hotels & Resorts, Conrad Hotels & Resorts, DoubleTree by Hilton, Embassy Suites by Hilton, Hilton Garden Inn, Homewood Suites by Hilton, and Hilton Grand Vacations.
On Feb. 10, 2015, Hilton learned from a computer services provider that a system Hilton used in the United Kingdom was communicating with a suspicious computer outside Hilton’s computer network. A forensic investigation revealed credit card targeting malware that potentially exposed cardholder data between Nov. 18 and Dec. 5, 2014.
On July 10, 2015, Hilton learned of a second breach through an intrusion detection system. A forensic investigation found further malware designed to steal credit card information. It found that payment card data was potentially exposed from April 21, 2015 through July 27, 2015, as well as evidence of 363,952 credit card numbers grouped together for removal by the attackers.
Hilton didn’t provide notice until November 24, 2015, over nine months after the first intrusion was discovered. While Hilton alleged that there was no evidence of removal of the cardholder data, the forensic investigator wasn’t able to review all relevant logs and the intruders used anti-forensic tools to hide their tracks.
Under New York law, any person or business that owns or licenses computer data that includes “private information” is required to disclose any breach of the security of the system following discovery to any resident of New York whose information was acquired by a person without valid authorization. The disclosure needs to be made in the “most expedient time possible and without unreasonable delay.” Hilton didn’t follow the law.
The investigation found that Hilton also wasn’t in compliance with credit card payment standards.
Hilton represented to its customers that it would maintain their personal information, such as credit card information, using reasonable data security, Schneiderman said.
The settlement requires Hilton to provide immediate notice to consumers affected by a breach, maintain a comprehensive information security program, and conduct data security assessments as follows:
Notice to consumers
Hilton has agreed to provide notice to affected New York residents and the Attorney General’s Office of a breach involving private information.
Comprehensive information security program
Hilton has agreed to design and maintain a comprehensive information security program designed to protect consumer cardholder data.
Cardholder data assessments
Hilton has agreed to annually obtain a written assessment of the extent of its compliance with the appropriate laws and report to the attorney general if it isn’t fully compliant.
New York will receive $400,000 of the settlement and Vermont will receive $300,000.
