Lax security practices put consumer data at ‘serious risk’

The company behind Hilton Hotels has agreed to pay $700,000 to settle a claim relating to two security breaches that put the credit card numbers of thousands of consumers at risk.

Hilton Domestic Operating Company, formerly Hilton Worldwide, experienced two separate network intrusions in 2014 and 2015, leading to the exposure of more than 360,000 credit card numbers.

A subsequent investigation conducted in the US found that the hospitality group failed in its duty to provide timely notice of the breaches and lacked reasonable data security.

The case was pursued by the New York State Attorney General, Eric Schneiderman, in collaboration with the Vermont Attorney General’s office.

“Businesses have a duty to notify consumers in the event of a breach and protect their personal information as securely as possible,” said Schneiderman. “Lax security practices like those we uncovered at Hilton put New Yorkers’ credit card information and other personal data at serious risk.”

Nine months' notice

On February 10, 2015, Hilton learned that one of its systems in the UK was communicating with a suspicious computer outside of the hospitality group’s network. A forensic investigation revealed credit card targeting malware that potentially exposed cardholder data between November 18 and December 5, 2014.

In July 2015, Hilton learned of a second breach through an intrusion detection system. A subsequent investigation found that payment card data was potentially exposed from April 21, 2015 through July 27, 2015, as well as evidence of 363,952 credit card numbers aggregated for removal by the attackers.

Hilton did not provide notice until November 24, 2015 – more than nine months after the first intrusion was discovered.

While the hotelier alleged that there was no evidence of removal of the cardholder data, investigators at the New York Bureau of Technology were not able to review all relevant logs, as the intruders used anti-forensic tools to hide their tracks.

Six-figure settlement

The investigation found Hilton in breach of various New York and Vermont state privacy laws. New York will receive $400,000, and the remaining $300,000 has been awarded to Vermont.

The settlement also requires Hilton to provide immediate notice to consumers affected by a breach, maintain a comprehensive information security program, and conduct regular data security assessments.

“My office will continue to hold businesses accountable for protecting their customers’ personal information,” said Schneiderman.

Vermont Attorney General Thomas Donovan added: “We continue to make enforcement of our data breach laws a top priority. Every business should notify the public and our office as soon as possible when a breach occurs to ensure consumers can protect themselves.”

Hilton is one of the largest hospitality companies in the world. Its portfolio of 14 brands comprises more than 4,900 properties in more than 100 countries.