Today, both the New York attorneys general and Vermont have announced that their joint investigation into two Hilton data breaches has resulted in a $700 thousand penalty and a promise to strengthen security. Hilton was made aware of a cyber-security breach in February 2015, and it actually happened between November and December 2014. The 2nd breach also exposed sensitive data of customers between the months of April and July 2015, and it was discovered in the month of July. But, the company waited until November 2015 to inform those affected by the breaches. Point to be noted that more than 363,000 credit card numbers were exposed during hackings. The investigation of New York and Vermont regarding the matter concluded that Hilton took too long to notify its customers of the breach and failed to properly protect their information.
Now, the settlement has been announced that New York will receive $400 thousand from Hilton and Vermont will receive $300 thousand in this regard. Hilton has shown its willingness to change its information security program. It includes designating an employee to supervise and identify expected risks to information security including the implementation of risk safeguards and performing regular testing to ensure their effectiveness. The New York Attorney General Eric Schneiderman issued a statement that businesses have the responsibility to inform consumers in the event of a security breach. They should also protect their personal information as security. Careless security practices like those we discovered at Hilton put credit card information and other personal data of New York residents at serious risk.