The settlement resolves claims that the hotel chain lacked reasonable data security and was too slow to tell consumers about the intrusions, waiting 9-1/2 months after learning of the first and more than three months after learning of the second.

New York Attorney General Eric Schneiderman said a breach occurred in late 2014 when a Hilton system in the United Kingdom began communicating with a suspicious outside computer, while another occurred in the spring and summer of 2015.

The McLean, Virginia-based company did not tell consumers about the breaches until Nov. 24, 2015, according to Schneiderman and his Vermont counterpart, T.J. Donovan.

Tuesday’s settlement requires Hilton to disclose breaches faster, improve monitoring for potential threats, and adhere to data security standards used in the card industry.

New York will receive $400,000 from the settlement, and Vermont will receive $300,000. The offices of their attorneys general were not immediately available for further comment.

Hilton’s brands also include Conrad, DoubleTree, Embassy Suites, Homewood Suites and the Waldorf Astoria, among others.

Get Data Sheet, Fortune’s technology newsletter.

“Two years ago, Hilton took action to eradicate unauthorized malware that targeted guest payment card information,” Hilton said in a statement. “Hilton is strongly committed to protecting our customers’ payment card information and maintaining the integrity of our systems.”