The attorneys general of New York and Vermont both announced today that their joint investigation into two Hilton data breaches has resulted in a $700,000 penalty and a promise to strengthen security. In February of 2015, Hilton was made aware of a cybersecurity breach that occurred between November and December of 2014. A second breach that exposed sensitive customer data between April and July of 2015 was uncovered that July, but the company waited until November of that year to inform those affected by the breaches. In all, over 363,000 credit card numbers were exposed.
New York's and Vermont's probe into the matter concluded that Hilton took too long to notify its customers of the breach and failed to properly protect their information. The settlement announced today stipulates that New York will receive $400,000 from Hilton while Vermont will receive $300,000. Hilton has also agreed to change its information security program, which includes designating an employee to supervise it, identifying risks to information security as well as implementing risk safeguards and performing regular testing of their effectiveness.
"Businesses have a duty to notify consumers in the event of a breach and protect their personal information as securely as possible," New York Attorney General Eric Schneiderman said in a statement. "Lax security practices like those we uncovered at Hilton put New Yorkers' credit card information and other personal data at serious risk. My office will continue to hold businesses accountable for protecting their customers' personal information." TJ Donovan, Vermont's attorney general, said, "We continue to make enforcement of our data breach laws a top priority."