Hilton Domestic Operating Co., Inc. (Hilton) has agreed to pay the New York and Vermont Attorneys General $700,000 to settle allegations that they violated those state consumer protection and data breach notification laws when it failed to implement reasonable security measures to protect consumer data and for waiting nine months to notify consumers of a data breach.

Hilton suffered two malware intrusions—the first was discovered in February 2015 and had exposed consumer data from November 18, 2014, and December 5, 2014. Hilton then discovered a second malware infection in July of 2015. This incident exposed 363,952 credit card numbers. Hilton publicly disclosed the breaches on November 24, 2015, which the AGs found to be unreasonable, despite the fact that Hilton claimed there was no evidence that the data had been exfiltrated from its system.

In addition to the payment of the monetary penalty, Hilton has agreed to implement a comprehensive information security program designed to protect consumers’ credit card information.