Press Releases
11/07/2022
Connecticut Joins Combined $16 Million Multistate Settlements Over 2012 and 2015 Experian Data Breaches
Experian and T-Mobile Agree to Improve Data Protection Practices
(Hartford, Connecticut) – Attorney General Tong announced today that Connecticut, along with a coalition of other attorneys general, has obtained two multistate settlements with Experian concerning data breaches it experienced in 2012 and 2015 that compromised the personal information of millions of consumers nationwide. The coalition has also obtained a separate settlement with T-Mobile in connection with the 2015 Experian breach, which impacted more than 15 million individuals who submitted credit applications with T-Mobile. Under the settlements, the companies have agreed to improve their data security practices and to pay the states a combined amount of more than $16 million. Connecticut will receive a total of $886,175 from the settlements.
“Experian and T-Mobile had independent obligations
to safeguard consumers’ personal information. They each failed to do so in
their own respects. Our multistate settlement sends a strong message to
companies that we will hold them accountable if they fail to take reasonable
measures to protect consumers’ information—whether that information is managed
on their own systems or entrusted to a third party,” said Attorney General
Tong.
In September 2015, Experian, one
of the big-three credit reporting bureaus, reported it had experienced a data
breach in which an unauthorized actor gained access to part of Experian’s
network storing personal information on behalf of its client, T-Mobile. The
breach involved information associated with consumers who had applied for T-Mobile
postpaid services and device financing between September 2013 and September
2015, including names, addresses, dates of birth, Social Security numbers,
identification numbers (such as driver’s license and passport numbers), and
related information used in T-Mobile’s own credit assessments. 142,789
Connecticut residents were impacted by the 2015 breach. Neither Experian’s
consumer credit database, nor T-Mobile’s own systems, were compromised in the
breach.
Connecticut co-led a 40-state multistate group which has obtained separate settlements from Experian and T-Mobile in connection with the 2015 data breach. Under a $12.67 million settlement, Experian has agreed to strengthen its due diligence and data security practices going forward. Those include:
- Prohibition against
misrepresentations to its clients regarding the extent to which Experian
protects the privacy and security of personal information;
- Implementation of a
comprehensive Information Security Program, incorporating zero-trust
principles, regular executive-level reporting, and enhanced employee
training;
- Due diligence provisions
requiring the company to properly vet acquisitions and evaluate data
security concerns prior to integration;
- Data minimization and
disposal requirements, including specific efforts aimed at reducing use of
Social Security numbers as identifiers; and
- Specific security
requirements, including with respect to encryption, segmentation, patch
management, intrusion detection, firewalls, access controls, logging and
monitoring, penetration testing, and risk assessments.
The settlement also requires Experian to offer 5 years of free credit monitoring services to affected consumers, as well as two free copies of their credit reports annually during that timeframe. This is in addition to the four years of credit monitoring services already offered to affected consumers— two of which were offered by Experian in the wake of the breach, and two that were secured through a separate 2019 class action settlement. The deadlines to enroll in these prior offerings have since passed.
If you were a class member in the 2019 class action settlement, you are eligible to enroll in these extended credit monitoring services. Affected consumers can enroll in the 5-year extended credit monitoring services and find more information on eligibility here. The enrollment window will remain open for 6 months.
In a separate $2.43 million
settlement, T-Mobile has agreed to detailed vendor management provisions
designed to strengthen its vendor oversight going forward. Those include:
- Implementation of a
Vendor Risk Management Program;
- Maintenance of a
T-Mobile vendor contract inventory, including vendor criticality ratings
based on the nature and type of information that the vendor receives or
maintains;
- Imposition of
contractual data security requirements on T-Mobile’s vendors and
sub-vendors, including related to segmentation, passwords, encryption
keys, and patching;
- Establishment of vendor
assessment and monitoring mechanisms; and
- Appropriate action in
response to vendor non-compliance, up to contract termination.
The settlement with T-Mobile does not concern the unrelated, massive data breach announced by T-Mobile in August 2021, which is still under investigation by a multistate coalition of Attorneys General co-led by Connecticut.
Concurrently with the 2015 data breach settlements, Experian has agreed to pay an additional $1 million to resolve a separate multistate investigation into another Experian-owned company—Experian Data Corp. (“EDC”)— in connection with EDC’s failure to prevent or provide notice of a 2012 data breach that occurred when an identity thief posing as a private investigator was given access to sensitive personal information stored in EDC’s commercial databases. Under that resolution, entered into by a separate group of 40 states, EDC has agreed to strengthen its vetting and oversight of third parties that it provides personal information, investigate and report data security incidents to the Attorneys General, and maintain a “Red Flags” program to detect and respond to potential identity theft.
Michele
Lucan, Chief of the Privacy Section, along with Assistant Attorneys General
John Neumon and Aine DeMeo assisted the Attorney General in this matter.
- Twitter: @AGWilliamTong
- Facebook: CT Attorney General
Media Contact:
Elizabeth Benton
elizabeth.benton@ct.gov
Consumer Inquiries:
860-808-5318
attorney.general@ct.gov