Hilton Data Breach Results in $700,000 Penalty
By Roger Murray | November 13th, 2017
Malicious network attacks & data breaches often make headlines, what is rarely discussed are the repercussions following such events. Businesses of all sizes have a responsibility to their consumers, should such incidents affect their privacy, to notify them in a timely manner. Hilton Hotels reached a settlement this month with New York Attorney General Eric T. Schneiderman and Vermont Attorney General TJ Donovan following two breaches in 2015.
The settlement provides valuable lessons for any business seeking to understand state data breach laws, some of which have vague terminology like “most expedient time possible and without unreasonable delay” in relation to notifying those affected, as well as how breaches can uncover even greater security standard deficiencies leading to costly exposures.
Data Breach Incidents
Hilton had two separate data breaches in 2015. On February 10, 2015 Hilton from their computer service provider that a system they utilized in the UK was communicating with a suspicious computer outside Hilton’s computer network. An investigation was launched and revealed credit-card targeting malware that potentially exposed cardholder’s data between November 18th and December 5th, 2014. The second breach was detected on July 10, 2015 through an intrusion detection system. The result was further malware designed to steal credit card information from point of sale (POS) machines. Payment information was potentially exposed for all transactions between April 21st and July 27th, 2015.
In total, some 363,952 credit card numbers were believed to have been stolen by the attackers. Yet, Hilton chose not to notify customers until November 24th, 2015. Over nine months after the first intrusion was discovered.
According to the Attorneys General, Hilton had sufficient information to trigger consumer & regulator notice well before November 24th. Breach notification laws in New York require expedient time and without reasonable delay, which remains subjective, while Vermont’s breach notification law maintains similar standards, but with the maximum limitation exceeding no later than 45 days after discovery. The Attorney General in Vermont must also be notified within 14 days. Pursuant to these laws, Hilton failed to comply on nearly every count.
Failure to Comply
The Attorneys General also discovered that Hilton was not in compliance with the Payment Card Industry Data Security Standard (PCI DSS Compliance). The PCI DSS is a proprietary information security standard for organizations that process branded credit cards from the major credit card companies, including Visa, MasterCard, American Express, & Discover. The standard is mandated by the card brands and administered by the Payment Card Industry Security Standards Council to ensure cardholder data is processed in a secure environment.
Vermont’s Attorney General alleged that Hilton’s failure to meet PCI DSS requirements for maintaining reasonable data security practices violated Vermont’s Consumer Protection Act.
Further, the New York Attorney General noted that Hilton misrepresented itself customers by stating that they would maintain the personal information of its customers using reasonable data security. Hilton demonstrated further insufficiencies by informing customer’s that their personal information was secure. For example, upon members logging into Hilton.com, they see a message stating “Your Information is Secure” with a hyperlink to Hilton’s Global Privacy Statement. By violating and implied representations of reasonable data security, Hilton violated New York’s Executive Law and General Business Law, which prohibits deceptive acts or practices in conducting business.
Outcome of the Settlement
In addition to civil penalties totaling 700K (300K for Vermont & 400K for New York), Hilton must:
- Provide immediate notice to consumers affected by a breach relative to state law.
- Sent the Vermont Attorney General, for five years, all Private Forensic Investigator preliminary reports pertaining to breaches involving cardholder data.
- Design, implement, and maintain a written comprehensive information security program.
- Annually obtain a written assessment of its compliance with PCI DSS and notify the Attorneys General of any PCI DSS assessment where the assessor does not find Hilton fully compliant.
The cost of a data breach is not limited to only civil penalties, but includes ongoing settlement term compliance costs, intensive regulatory oversight, as well as reputational damage, something a company like Hilton can endure. The same cannot be said for local businesses without a global presence who do not always recover. This settlement should be looked at as a reminder of how preventative security, network oversight, as well as proper written policies on how to respond to data breaches can help contain fallout.