A group of 40 AGs reached settlements with Experian Information Solutions, Inc. and T-Mobile USA, Inc. concerning a 2015 data breach experienced by Experian that allegedly compromised the personal information of more than 15 million individuals in violation of the states’ consumer protection acts, personal information protection acts, and security breach notification laws.
According to the AGs, the credit reporting bureau Experian discovered in September 2015 that a data breach allowed an unauthorized actor to gain access to a part of its network storing personal information on behalf of its client, T-Mobile. The compromised information allegedly included names, addresses, dates of birth, Social Security numbers, government identification numbers, and related information used by T-Mobile to assess the credit histories of consumers who had applied for T-Mobile’s postpaid services and device financing between September 2013 and September 2015.
Under the terms of the $12.67 million settlement, Experian must strengthen its due diligence and data security practices and offer five years of free credit monitoring services to affected consumers, as well as two free copies of their credit reports annually during that timeframe. Under a separate $2.43 million settlement, T-Mobile must implement detailed vendor management provisions designed to strengthen its vendor oversight in the future.