Hotel Chain Waited 9 Months to Warn Customers After Discovering First Breach
Global hotel chain Hilton has reached a $700,000 settlement agreement with two states over two separate data breaches discovered in 2015 that exposed more than 360,000 payment card numbers (see Hilton Hotels: We Were Breached).
See Also: How to Scale Your Vendor Risk Management Program
The settlement is the culmination of investigations launched by the state governments of New York and Vermont. Investigators at New York’s Bureau of Internet and Technology say they found that Hilton “did not maintain reasonable data security” and also failed to comply with the Payment Card Industry Data Security Standard, also known as PCI compliance. PCI DSS is a standard maintained by major card companies, which requires all organizations that handle cardholder data to do so in a secure manner.
Investigators also found that Hilton failed to notify data breach victims in a timely manner, waiting nine months to issue such a notification after the first breach.
“Businesses have a duty to notify consumers in the event of a breach and protect their personal information as securely as possible,” says Eric T. Schneiderman, attorney general of New York state. “Lax security practices like those we uncovered at Hilton put New Yorkers’ credit card information and other personal data at serious risk. My office will continue to hold businesses accountable for protecting their customers’ personal information.”
New York will receive $400,000 of the settlement; Vermont will receive $300,000.
Hilton is one of the world’s largest hospitality companies, encompassing 4,900 properties across 104 countries and territories. The company owns, manages, or franchises such brands as Hilton Hotels & Resorts, Waldorf Astoria, Conrad Hotels, DoubleTree, Embassy Suites, Hilton Garden Inn and Homewood Suites.
Hilton didn’t immediately respond to a request for comment on the settlement agreement.
Hilton Breached in 2014 and 2015
The hotel chain had initially claimed that there was no evidence that cardholder data had been exposed. But Hilton failed to acknowledge that its digital forensic investigators had not been able to review all relevant logs or that attackers used anti-forensic techniques to hide their trail, investigators say.
Just one week before admitting in a Nov. 24, 2015, press release that “unauthorized malware … targeted payment card information in some point-of-sale systems” in separate 2014 and 2015 breaches, a Hilton spokesman had told Information Security Media Group that the company was not aware of any network intrusion or resulting fraud incidents that suggested that it had been breached.
This week, investigators offered additional details into the two breaches Hilton discovered in 2015:
- First breach: “On February 10, 2015, Hilton learned from a computer services provider that a system Hilton utilized in the United Kingdom was communicating with a suspicious computer outside Hilton’s computer network. A forensic investigation revealed credit-card targeting malware that potentially exposed cardholder data between November 18, 2014, and December 5, 2014.”
- Second breach: “On July 10, 2015, Hilton learned of a second breach through an intrusion detection system. A forensic investigation found further malware designed to steal credit card information. It found that payment card data was potentially exposed from April 21, 2015, through July 27, 2015, as well as evidence of 363,952 credit card numbers aggregated for removal by the attackers.”
Unreasonable Breach Notification Delay
Hilton notified breach victims on Nov. 24, 2015, which was more than nine months after it had discovered the first intrusion.
New York officials say that wasn’t good enough. Indeed, under New York state law, any entity that discovers a breach involving individuals’ private information must notify the victim as quickly as possible. In the words of the relevant state law: “The disclosure shall be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement.”
While that leaves notification decisions to organizations that suffered the breach, many data breach experts say that all organizations should have the practices, procedures and technology in place before any breach occurs that would allow them to investigate the breach and provide actionable information to victims within 30 to 60 days (see Data Breach Notifications: What’s Optimal Timing?).
On its website, Hilton’s Global Privacy statement had also promised customers that it would “take reasonable measures to … protect personal information from unauthorized access, disclosure, alteration or destruction and … keep personal information accurate and up-to-date as appropriate.” The website repeatedly assured customers that “your information is secure.”
New York officials say the hotel failed to honor those promises.
As part of Hilton’s settlement agreement, it must now “provide immediate notice to consumers affected by a breach, maintain a comprehensive information security program and conduct data security assessments,” the New York attorney general’s office says. It says that includes “evaluating Hilton’s information security program and [adjusting] it based on testing or monitoring results or other circumstances … that Hilton knows, or an entity acting reasonably under the circumstances would know, may have a material impact on the program’s effectiveness.”
The hotel chain must also “annually obtain a written assessment of the extent of its compliance with PCI DSS and report to the attorney general if it is not fully compliant,” the New York attorney general’s office adds.
Hospitality Breach Epidemic
Hilton is only one of a number of hospitality sector organizations, including hotels and restaurants, that have suffered payment card breaches in recent years (see Hyatt Hotels Suffers International Payment Card Data Breach).
In July, Trump Hotels warned that it had suffered its third payment card breach in as many years, saying attackers had been compromising card data at 14 of its properties for seven months (see Trump Hotels Suffers Another Payment Card Breach).
In April, Intercontinental Hotels Group warned that malware had infected POS devices at 1,200 of its locations beginning in September 2016. IHG’s brands include Crowne Plaza, Intercontinental, Kimpton and Holiday Inn.
Other hotels that have been breached include HEI Hotels & Resorts – which manages some hotels owned by IHG – as well as Omni Hotels & Resorts, among others.
Attackers have also sabotaged third-party point-of-sale service providers, including Oracle, to steal card data. In August of last year, Oracle warned that an attacker planted malware in a support portal for servicing and maintaining its MICROS POS systems – one of the most widely used POS systems in the world, with 330,000 customers in 180 countries.