Hotel operator Hilton will pay $700,000 to settle an investigation into two separate data breaches that exposed more than 350,000 credit card numbers.
The New York attorney general, who conducted an investigation along with his counterpart in Vermont, said Tuesday that one breach began in November 2014 and another in April 2015 but Hilton didn’t tell consumers until November 2015.
The state officials say Hilton didn’t comply with payment-card security standards.
Hilton spokeswoman Meg Ryan says the company cooperated with law enforcement and took steps to wipe out malware that targeted customers’ card information.
[Skift Editor’s Note: Hilton issued the following statement to Skift regarding the fines: “Two years ago, Hilton took action to eradicate unauthorized malware that targeted guest payment card information. We have completed a thorough investigation into this incident, including working closely with third-party forensics experts, payment card companies and law enforcement, including certain state Attorneys General. Hilton is strongly committed to protecting our customers’ payment card information and maintaining the integrity of our systems.”]
Virginia-based Hilton Domestic Operating Company Inc. was previously known as Hilton Worldwide. The company has more than 5,100 properties in about 100 countries under names including Hilton Hotels, DoubleTree by Hilton, Embassy Suites and Hampton by Hilton.