Insights & Analyses

Identity data breach settlement will cost Hilton $700K

November 1, 2017

After credit card information and other personal data was stolen from Hilton, the hotel chain was found to have failed to properly inform consumers about the breach, resulting in a $700,000 penalty.

The New York and Vermont attorneys general’s offices collaborated in the complaint against Hilton, which alleged that the company did not provide timely notice of the breach to consumers, and that it also did not maintain reasonable data security.

In a settlement reached with Hilton, the company will pay $400,000 to New York, and another $300,000 to Vermont. Hilton has also agreed to design and maintain a comprehensive information security program to protect consumer cardholder data.

In addition, Hilton has also pledged to provide immediate notice to consumers affected by any future breaches, and to conduct data security assessments.

Hilton was actually affected by two breaches: One that occurred in late 2014, and another again in the spring and summer of 2015. Consumers were not informed of the incidents until November of 2015.

The fine was levied after an investigation found that Hilton was in violation of New York laws, which require that a company inform consumers of a security breach in the “most expedient time possible and without unreasonable delay.” Hilton was also found to be in violation of Payment Card Industry Data Security Standard requirements, which ensure that cardholder data is processed in a secure environment.

The original incident affected some 363,000 credit card numbers, which were exposed to hackers.

“Businesses have a duty to notify consumers in the event of a breach and protect their personal information as securely as possible,” New York Attorney General Eric Schneiderman said. “Lax security practices like those we uncovered at Hilton put New Yorkers’ credit card information and other personal data at serious risk. My office will continue to hold businesses accountable for protecting their customers’ personal information.”