The company behind Hilton Hotels is paying a $700,000 (£525,000) fine after being accused of mishandling two separate credit card data breaches.
The attacks were in 2014 and 2015.
More than 363,000 accounts were put at risk, although it remains unclear whether the perpetrators managed to extract any details.
US government investigators said the firm had taken too long to warn customers and had lacked adequate security measures.
The penalty will be divided between the states of New York and Vermont. Their attorney generals agreed the settlement with the company, which operates properties under the Waldorf Astoria, Conrad Hotels and DoubleTree brands in addition to Hilton.
The first of the two cases was discovered in February 2015, when Hilton learned that one of its UK-based systems was communicating with a suspicious computer outside its network.
Checks revealed that credit-card targeting malware had infected its cash register computers, potentially exposing customers’ card details between 18 November and 5 December 2014.
In the second incident, an intrusion detection system alerted Hilton to another problem in July 2015. A subsequent probe revealed that payment card data had again been targeted by malware since April of the same year.
Hilton only notified the public about the breaches in November 2015, which was more than nine months after the first discovery and more than three months after the second.
By this point, there had already been media reports that several banks suspected card details had been stolen from payment systems used in Hilton gift shops and restaurants.
Although the Virginia-headquartered firm still maintains it found no proof that any data had been stolen in either case, the attorney generals noted that the intruders had used anti-forensic tools that had made it impossible to determine exactly what had been done.
As part of the settlement, Hilton has promised to disclose future breaches more quickly and to perform regular security tests, among other enhanced safety efforts.
“Hilton is strongly committed to protecting our customers’ payment card information and maintaining the integrity of our systems,” the company said in a statement.