New York's and Vermont's probe into the matter concluded that Hilton took too long to notify its customers of the breach and failed to properly protect their information. The settlement announced today stipulates that New York will receive $400,000 from Hilton while Vermont will receive $300,000. Hilton has also agreed to change its information security program, which includes designating an employee to supervise it, identifying risks to information security as well as implementing risk safeguards and performing regular testing of their effectiveness.

"Businesses have a duty to notify consumers in the event of a breach and protect their personal information as securely as possible," New York Attorney General Eric Schneiderman said in a statement. "Lax security practices like those we uncovered at Hilton put New Yorkers' credit card information and other personal data at serious risk. My office will continue to hold businesses accountable for protecting their customers' personal information." TJ Donovan, Vermont's attorney general, said, "We continue to make enforcement of our data breach laws a top priority."