On December 13, the Pennsylvania attorney general announced a settlement with two travel websites resolving allegations that a 2018 data breach may have exposed consumer data for more than 20,000 state customers, including 880,000 affected payment cards globally. According to the state’s investigation, a hacker bypassed security detection and built malware that targeted payment cards on one of the company’s platforms. The company was also notified by a business partner of potentially fraudulent point of purchase transactions related to the data breach. Under the terms of the Assurance of Voluntary Compliance—which alleges the company violated the state’s Unfair Trade Practices and Consumer Protection Law by misrepresenting safeguards for customer data in its privacy policy and failing to fully implement data security policies—the companies have agreed to pay $110,000, including a $80,000 civil penalty and $30,000 towards future public protection and education purposes. The company must also implement a number of security requirements, such as (i) implementing a comprehensive information security program on their travel website; (ii) conducting annual risk assessments; (iii) developing a program for implementing and operating safeguards; and (iv) complying with Payment Card Industry Data Security Standards.