The Hilton hotel chain is paying a $700,000 settlement to the states of New York and Vermont after being accused of mishandling two separate cyber attacks that exposed financial data of its customers.
The credit card breaches were in 2014 and 2015 and affected more than 363,000 payment cards.
The investigation revealed that crooks installed a PoS malware in Hilton payment systems, potentially exposing customers’ card details between 18 November and 5 December 2014.
The second incident was spotted in July and dates back April of the same year.
Hilton Domestic Operating Company, Inc notified customers about the incident only in November 2015.
The company is accused of poor security of its payment system and is responsible for the delay in informing customers.
“Businesses have a duty to notify consumers in the event of a breach and protect their personal information as securely as possible,” said Attorney General Eric T. Schneiderman.
“Lax security practices like those we uncovered at Hilton put New Yorkers’ credit card information and other personal data at serious risk. My office will continue to hold businesses accountable for protecting their customers’ personal information.”
As part of the settlement, Hilton will strengthen the security of its payment systems and internal procedures for incident handling.
“Hilton is strongly committed to protecting our customers’ payment card information and maintaining the integrity of our systems,” the company said in a statement.
Let’s try to imagine the outcome of this incident under the forthcoming EU GDPR regulation. With such regulation in line, it would be $420 million, as the fine can represent up to 4 percent of the company’s turnover.