The New York attorney general, who conducted an investigation along with his counterpart in Vermont, said yesterday that one breach began in November 2014 and another in April 2015 but Hilton didn't tell consumers until November 2015.
The state officials say Hilton didn't comply with payment-card security standards.
Hilton spokeswoman Meg Ryan says the company cooperated with law enforcement and took steps to wipe out malware that targeted customers' card information.
Virginia-based Hilton Domestic Operating Company Inc. was previously known as Hilton Worldwide. The company has more than 5,100 properties in about 100 countries under names including Hilton Hotels, DoubleTree by Hilton, Embassy Suites and Hampton by Hilton.
Disclaimer: No Business Standard Journalist was involved in creation of this content