April 2018 : Hilton is fined for Data Breach
Hilton Domestic Operating Company, Inc, the parent company of Hilton Hotels, has received a $700,000 (£525,000) fine after being accused of mishandling two separate data breaches involving credit cards.
The attacks, which occurred in 2014 and 2015, resulted in more than 360,000 accounts being put at risk. It is not clear whether the attackers were able to extract any credit card details. Investigators in the USA claim that the company had taken too long to warn customers and had lacked adequate security measures.
The penalty is to be divided between the states of New York and Vermont. Their attorneys general agreed the settlement with the company, which operates the Waldorf Astoria, Conrad Hotels and DoubleTree brands, as well as Hilton.
The first of these two malware cases was uncovered in February 2015, when Hilton found that one of its systems based in the United Kingdom was connecting with a suspect computer outside of its corporate network. Further checks indicated that malware, which was targeting credit cards, had infected its cash register computers, potentially revealing customers’ credit card details between. This occurred between 18th November and 5th December 2014.
An intrusion detection system alerted Hilton to another problem in July 2015. A subsequent probe into this second incident revealed that payment card data had once again been targeted by malware since April of the same year. Hilton did not notify the public about the data breaches until November 2015. This was more than nine months after the first discovery and more than three months following the second. By this time there had already been reports in the media that a number of banks suspected that credit card details had been stolen from payment systems used in Hilton gift shops and restaurants.
The firm maintains it could find no proof of any data being stolen in either of the two cases. The attorney generals noted that the intruders had used ‘anti-forensic tools’ that made it impossible to identify precisely what had occurred.
As part of the settlement, Hilton has promised to disclose future breaches more quickly and to perform regular security tests, among other enhanced safety efforts.
The company said in a statement “Hilton is strongly committed to protecting our customers’ payment card information and maintaining the integrity of our systems”.
News is bound to travel fast when a company like Hilton is fined for data breach. However, this incident occurred before the new GDPR law came into force in May 2018, which would have attracted a far heavier financial penalty. It is expected that many more stories like this one are likely to break in the coming months.
If Hilton had been subject to the GDPR penalties, the firm would likely have had to pay more than $400 million, or $1,200 for every compromised record. USA based companies, like any other company conducting business in the EU are bound by GDPR regulations.