40 States Obtain $16M Settlements with Experian, T-Mobile Over Data Breaches
A coalition of 40 state attorneys general has obtained two multistate settlements for $12.67 million with credit data firm Experian concerning data breaches in 2012 and 2015 that compromised the personal information of millions of consumers nationwide.
The attorneys general have also obtained a separate $2.43 million settlement with T-Mobile in connection with the 2015 Experian breach, which they say affected more than 15 million individuals who submitted credit applications with T-Mobile. In September 2015, Experian reported that an unauthorized actor gained access to part of its network storing personal information on behalf of its client, T-Mobile. The breach involved information associated with consumers who had applied for T-Mobile postpaid services and device financing between September 2013 and September 2015.
The data included names, addresses, dates of birth, Social Security numbers, identification numbers (such as driver’s license and passport numbers), and related information used in T-Mobile’s own credit assessments.
The states participating in the settlements are Arizona, Arkansas, Connecticut, Delaware, the District of Columbia, Florida, Georgia, Hawaii, Idaho, Illinois, Indiana, Iowa, Kansas, Kentucky, Louisiana, Maine, Maryland, Massachusetts, Michigan, Minnesota, Mississippi, Missouri, Montana, Nebraska, Nevada, New Hampshire, New Jersey, New York, North Dakota, Ohio, Oklahoma, Oregon, Pennsylvania, Rhode Island, Tennessee, Texas, Vermont, Virginia, Washington, and Wisconsin
Under the settlements, Experian has promised to improve its data security practices and offer five years of free credit monitoring services to affected consumers, as well as two free copies of their credit reports annually during that timeframe.
T-Mobile has agreed to implement a vendor management program to strengthen its vendor oversight.
“Experian and T-Mobile had independent obligations to safeguard consumers’ personal information. They each failed to do so in their own respects. Our multistate settlement sends a strong message to companies that we will hold them accountable if they fail to take reasonable measures to protect consumers’ information—whether that information is managed on their own systems or entrusted to a third party,” said Connecticut Attorney General William Tong, one of the leaders of the investigation into the breaches whose state will receive a total of $886,175 from the settlements.
The settlement with T-Mobile does not concern the data breach announced by T-Mobile in August 2021, which is still under investigation by state attorneys general. In July, T-Mobile offered to pay $350 million and spend an additional $150 million to upgrade data security to settle litigation over this cyberattack that compromised information belonging to an estimated 76.6 million people.
Concurrently with the 2015 data breach settlements, Experian has agreed to pay an additional $1 million to resolve a separate multistate investigation into another Experian-owned company, Experian Data Corp., in connection with EDC’s failure to prevent or provide notice of a 2012 data breach.
- US High Court Declines Appeal, Upholds Coverage Ruling on Treated Wood
- PE Firm Cornell Sued Over $345 Million Instant Brands Dividend
- Fake Bear Attacks on Car for Fraudulent Insurance Claims Lead to Arrests
- T-Mobile’s Network Breached as Part of Chinese Hacking Operation