TravelMole
Breaking

Hilton fined for delay in disclosing data breach

Friday, 3 November 20173 min read

Hilton has been ordered to pay a $700,000 penalty for failing to disclose two separate payment card data breaches promptly enough.

More than 360,000 accounts of customers were exposed in two malware attacks which began in November 2014 and again in April 2015 but the company didn’t inform customers until November 2015.

The fine will be paid to the states of New York and Vermont which conducted a joint investigation.

Their respective state attorney generals agreed the settlement with the company.

"Lax security practices like those we uncovered at Hilton put New Yorkers’ credit card information and other personal data at serious risk," said Eric Schneiderman, New York’s attorney general.

Under the settlement terms Hilton has pledged to disclose any future breaches in a more timely fashion, strengthen its cyber security team and conduct regular security diagnostic tests on systems vulnerable to malware intrusions.

"Hilton is strongly committed to protecting our customers’ payment card information and maintaining the integrity of our systems," Hilton said in a statement.

In May 2018, tighter data protection rules will come into force in the UK that will mean companies risk fines of up to 4% of their global turnover if they fail to protect the data of their customers, staff and suppliers.

Travel companies are being urged to act now to make sure they’re ready to comply with new laws under which claimants will no longer need to demonstrate a financial loss as a result of the breach but can claim thousands of pounds for anxiety.

The details of the rules have not yet been finalised but will mean companies must ensure they have permission from their customers to hold their data for as long as is deemed ‘reasonable’.

To prepare for the changes, travel companies are being advised to scrutinise their cyber risk, identify weak points, test vulnerabilities, train staff to be able to recognise phishing, download the latest virus and security software and back-up data.

They should also have a clear data protection strategy in place, and also be checking that their suppliers have got a good protection policy in place.