The Hilton hotel chain, which has more than 4,000 properties in over 90 countries, has to pay a $700,000 settlement to the states of New York and Vermont following two point-of-sale attacks the company didn’t properly handle, writes BBC News.
Although the credit card breaches were identified in 2014 and 2015, and affected over 363,000 payment cards, Hilton Domestic Operating Company, Inc informed customers about them in November 2015, according to investigators. The lax security measures, as well as informing customers so late about the hack of their payment information, gave hackers free rein to make fraudulent purchases.
“Businesses have a duty to notify consumers in the event of a breach and protect their personal information as securely as possible,” said Attorney General Eric T. Schneiderman.
“Lax security practices like those we uncovered at Hilton put New Yorkers’ credit card information and other personal data at serious risk. My office will continue to hold businesses accountable for protecting their customers’ personal information.”
The company officially admitted the breach only after security researcher Brian Krebs wrote on his blog that a number of gift shops restaurants in the chain may have been hacked.
The first attack took place between November 18 and December 5, 2014, when a hotel computer was infected with malware to communicate with an outside server. Hackers used PoS malware to steal names, payment card numbers, security codes and expiration dates. The second attack was between April 21 and July 27, 2015, and again targeted payment card data.
Besides paying the fine to New York and Vermont in a joint settlement, Hilton will strengthen security and ensure any future breaches are announced as soon as identified.
“Hilton is strongly committed to protecting our customers’ payment card information and maintaining the integrity of our systems,” the company said in a statement.
As of May 2018 when the EU’s GDPR goes into effect, the outcome of such cases will change drastically. If the fine were in line with GDPR legislation, it would be $420 million, as the fine can represent up to 4 percent of the company’s turnover.