This is an archived article that was published on sltrib.com in 2016, and information in the article may be outdated. It is provided only for personal research purposes and may not be reprinted.

Albany, N.Y. • The Trump Hotel Collection company has agreed to pay $50,000 and shore up data security after breaches exposed more than 70,000 credit card numbers and other personal data, the state's attorney general said on Friday in announcing a settlement.

In May 2015, multiple banks analyzed hundreds of fraudulent credit card transactions and determined the hotel group, one of Republican presidential nominee Donald Trump's businesses, was the last merchant with legitimate transactions, according to the attorney general's office.

Authorities said the company knew by June 2015 that hotels in New York City, Miami, Chicago, Honolulu, Las Vegas and Toronto had been compromised but didn't notify customers for four months, a violation of New York business law requiring prompt notification. They said a hacker infiltrated the hotel group's payment processing system in May 2014.

"It is vital in this digital age that companies take all precautions to ensure that consumer information is protected and that, if a data breach occurs, it is reported promptly to our office, in accordance with state law," said Attorney General Eric Schneiderman, a Democrat.

Safeguarding customer data is a top priority, a Trump Hotels Collection spokeswoman said.

"Unfortunately, cyber criminals seeking consumer data have recently infiltrated the systems of many organizations, including almost every major hotel company," she said.

According to the attorney general's office, the company last March received additional reports of a second security breach, an investigation showing a hacker got unauthorized access last November and installed credit card harvesting malware on 39 systems affecting five hotels, including Trump SoHo New York.

In April, the company added recommended precautions including authentication for remote access that requires username, password and then another piece of information only the user should know, such as a random number from a token.