Hilton pays $700,000 to settle late notification and PCI DSS noncompliance charges by NY and VT over data breaches
From the NYS Attorney General’s Office, yesterday:
Attorney General Eric T. Schneiderman today announced a $700,000 settlement with Hilton Domestic Operating Company, Inc., formerly known as Hilton Worldwide, Inc. (“Hilton”), after data security incidents exposed over 350,000 credit card numbers in two separate breaches in 2015. Attorney General Schneiderman’s investigation, conducted in collaboration with the Vermont Attorney General’s office, revealed that Hilton did not provide consumers with timely notice and did not maintain reasonable data security.
“Businesses have a duty to notify consumers in the event of a breach and protect their personal information as securely as possible,” said Attorney General Schneiderman. “Lax security practices like those we uncovered at Hilton put New Yorkers’ credit card information and other personal data at serious risk. My office will continue to hold businesses accountable for protecting their customers’ personal information.”
Hilton is one of the largest hospitality companies in the world, with a portfolio of 14 brands comprising more than 4,900 properties with more than 796,000 rooms in 104 countries and territories. The company owns, manages, or franchises a portfolio of brands including Hilton Hotels & Resorts, Waldorf Astoria Hotels & Resorts, Conrad Hotels & Resorts, DoubleTree by Hilton, Embassy Suites by Hilton, Hilton Garden Inn, Homewood Suites by Hilton, and Hilton Grand Vacations.
On February 10, 2015, Hilton learned from a computer services provider that a system Hilton utilized in the United Kingdom was communicating with a suspicious computer outside Hilton’s computer network. A forensic investigation revealed credit-card targeting malware that potentially exposed cardholder data between November 18 and December 5, 2014.
On July 10, 2015, Hilton learned of a second breach through an intrusion detection system. A forensic investigation found further malware designed to steal credit card information. It found that payment card data was potentially exposed from April 21, 2015 through July 27, 2015, as well as evidence of 363,952 credit card numbers aggregated for removal by the attackers.
Hilton did not provide notice until November 24, 2015, over nine months after the first intrusion was discovered. While Hilton alleged that there was no evidence of removal of the cardholder data, the forensic investigator was not able to review all relevant logs and the intruders used anti-forensic tools to hide their tracks.
Pursuant to New York General Business Law § 899-aa(2), any person or business which owns or licenses computer data that includes “private information,” a term which includes a person’s name and credit card number, shall disclose any breach of the security of the system following discovery to any resident of New York whose information was, or is reasonably believed to have been, acquired by a person without valid authorization. The disclosure must be made in the “most expedient time possible and without unreasonable delay.” Hilton did not provide notice to consumers in the most expedient time possible and without unreasonable delay.
The investigation found that Hilton was also not in compliance with certain Payment Card Industry Data Security Standard (“PCI DSS”) requirements. The PCI DSS is a proprietary information security standard for organizations that process branded credit cards from the major card companies, including Visa, MasterCard, American Express, Discover, and JCB. The standard is mandated by the card brands and administered by the Payment Card Industry Security Standards Council to ensure cardholder data is processed in a secure environment.
New York Executive Law § 63(12) and New York General Business Law §§ 349 and 350 prohibit deceptive acts or practices in conducting business. Hilton represented to its customers that it would maintain their personal information, such as credit card information, using reasonable data security. For example, Hilton’s Global Privacy Statement on Hilton’s website (www.hilton.com) provides that Hilton “will take reasonable measures to: (1) protect personal information from unauthorized access, disclosure, alteration or destruction and (ii) keep personal information accurate and up-to-date as appropriate.” The policy broadly defines customers’ personal information to include, among other things, name, address, and payment card information. Hilton also represented that it would keep its customer’s personal information “secure.” For example, upon logging on to Hilton.com, members are immediately presented with a statement that “Your information is secure” with a hyperlink to Hilton’s Global Privacy Statement. By violating express and implied representations of reasonable data security, Hilton violated New York Executive Law § 63(12) and New York General Business Law §§ 349 and 350.
The settlement requires Hilton to provide immediate notice to consumers affected by a breach, maintain a comprehensive information security program, and conduct data security assessments as follows:
Notice to Consumers
Hilton has agreed to provide notice to affected New York residents and the Attorney General’s office of a breach involving private information in compliance with, and as defined by, GBL § 899-aa. In determining whether the information “has been acquired, or is reasonably believed to have been acquired” pursuant to GBL § 899-aa(2), Hilton must consider all information reasonably available to it, including, among other things, (i) indications that the information is in the physical possession and control of a person without valid authorization, such as a lost or stolen computer or other device containing information; (ii) indications that the information has been downloaded or copied; (iii) indications that the information was used by an unauthorized person, such as fraudulent accounts opened or instances of identity theft reported; (iv) that the information has been made public; and (v) evidence of malware on its computer systems designed to collect cardholder data.
Comprehensive Information Security Program
Hilton has agreed to design and maintain a comprehensive information security program designed to protect consumer cardholder data including by:
- designating an employee to coordinate and supervise its information security program;
- identifying material internal and external risks to information security that could lead to unauthorized disclosure, misuse, loss, alteration, destruction, or other compromise of the information;
- implementing reasonable safeguards to control those risks; and perform regular testing or monitoring of the safeguards’ effectiveness;
- developing and using reasonable steps to select and retain service providers capable of appropriately safeguarding cardholder data and contractually require such service providers to also implement and maintain appropriate safeguards for the information; and
- evaluating Hilton’s information security program and adjust it based on testing or monitoring results or other circumstances (including material changes to Hilton’s operations or business arrangements) that Hilton knows, or an entity acting reasonably under the circumstances would know, may have a material impact on the program’s effectiveness.
Cardholder Data Assessments
Hilton has agreed to annually obtain a written assessment of the extent of its compliance with PCI DSS and report to the Attorney General if it is not fully compliant.
New York will receive $400,000 of the settlement and Vermont will receive the remainder.
This case was handled by Bureau of Internet and Technology Deputy Bureau Chief Clark Russell and Assistant Attorney General Noah Stein, under the supervision of Bureau Chief Kathleen McGee. The Bureau of Internet and Technology is overseen by Executive Deputy Attorney General for Economic Justice Manisha M. Sheth.