The investigation revealed that crooks installed a PoS malware in Hilton payment systems, potentially exposing customers’ card details between 18 November and 5 December 2014.
The second incident was spotted in July and dates back April of the same year.
Hilton Domestic Operating Company, Inc notified customers about the incident only in November 2015.
The company is accused of poor security of its payment system and is responsible for the delay in informing customers.
“Businesses have a duty to notify consumers in the event of a breach and protect their personal information as securely as possible,” said Attorney General Eric T. Schneiderman.
“Lax security practices like those we uncovered at Hilton put New Yorkers’ credit card information and other personal data at serious risk. My office will continue to hold businesses accountable for protecting their customers’ personal information.”
As part of the settlement, Hilton will strengthen the security of its payment systems and internal procedures for incident handling.
“Hilton is strongly committed to protecting our customers’ payment card information and maintaining the integrity of our systems,” the company said in a statement.
Let’s try to imagine the outcome of this incident under the forthcoming EU GDPR regulation. With such regulation in line, it would be $420 million, as the fine can represent up to 4 percent of the company’s turnover.
(Security Affairs – Hilton Hotel, card data breach)
source : Cyber Crime – Security Affairs http://ift.tt/Lp7iZa November 13, 2017 at 11:12AM