Nov. 1 (UPI) -- Hilton Worldwide, Inc. has reached a $700,000 settlement with New York and Vermont over two separate data breaches two years ago that exposed more than 360,000 credit card numbers.
The attorneys general in the states announced Tuesday the culmination of the investigation that found Hilton didn't notify consumers in a timely manner and failed to maintain reasonable data security.
New York will receive $400,000 in the settlement and Vermont $300,000.
"Businesses have a duty to notify consumers in the event of a breach and protect their personal information as securely as possible," New York Attorney General Schneiderman said in a statement. "Lax security practices like those we uncovered at Hilton put New Yorkers' credit card information and other personal data at serious risk. My office will continue to hold businesses accountable for protecting their customers' personal information."
According to New York state law, the disclosure must be made in the "most expedient time possible and without unreasonable delay."
Vermont law requires preliminary notice to the attorney general within 14 days of discovering a breach.
"We continue to make enforcement of our data breach laws a top priority," Attorney General T.J. Donovan said in a statement. "Every business should notify the public and our office as soon as possible when a breach occurs to ensure consumers can protect themselves."
Virginia-headquartered Hilton has 14 brands comprising more than 4,900 properties with more than 796,000 rooms in 104 countries and territories.They include Hilton Hotels & Resorts, Waldorf Astoria Hotels & Resorts, Conrad Hotels & Resorts, DoubleTree by Hilton, Embassy Suites by Hilton, Hilton Garden Inn, Homewood Suites by Hilton and Hilton Grand Vacations.
In the first breach, Hilton learned on Feb. 15, 2015, from a computer services provider that its system in Great Britain was communicating with a suspicious computer outside Hilton's computer network. In a forensic investigation, it revealed credit-card-targeting malware potentially exposed cardholder data between Nov. 18 and Dec. 5, 2014.
In the second incident, Hilton discovered on July 10, 2015, a breach through an intrusion system. In that incident, an investigation found payment card data was potentially exposed between April 21, 2015 and July 27, 2015, and that attackers rounded up 363,952 credit card numbers for removal.
But Hilton didn't provide notice until Nov. 24, 2015, the investigation found.
Hilton said there was no evidence attackers removed cardholder data, but the forensic investigator wasn't able to review all relevant logs. It added that intruders used anti-forensic tools.
In the agreement, Hilton has agreed to provide notices to affected cardholders in the two states and to design and maintain a comprehensive information security program to protect consumer cardholder data.
"Hilton is strongly committed to protecting our customers' payment card information and maintaining the integrity of our systems," the company said in a statement.