Attorney General Josh Shapiro announces $16 million settlement over T-Mobile and Experian data breaches
November 8, 2022 – Attorney General Josh Shapiro announced Monday that a settlement has been reached with Experian concerning a data breach.
Along with a coalition of other attorneys general, two multistate settlements were settled concerning the 2012 and 2015 data breaches that compromised the personal information of 484,147 Pennsylvanians.
An additional settlement was reached with T-Mobile in connection with the 2015 Experian breach, which impacted more than 400,000 Pennsylvanians who submitted credit applications with T-Mobile.
Under the settlements, the companies have agreed to improve their data security practices and to pay the states a combined amount of more than $16 million.
Pennsylvania will receive $464,000 from these settlements.
“These data breaches will keep happening until we force change in corporate behavior,” said Shapiro in a statement. “Experian and T-Mobile failed in their responsibility to safeguard consumers’ personal information.”
In September of 2015, Experian, one of the three major credit reporting bureaus, reported it has experienced a data breach in which an unauthorized party gained access to part of Experian’s network that stored personal information on behalf of its client, T-Mobile.
The breach involved information associated with consumers who had applied for T-Mobile postpaid services and device financing between September of 2013 and September 2015.
The breached information included names, addresses, dates of birth, Social Security numbers, identification numbers (such as driver’s license and passport numbers) and related information used in T-Mobile’s own credit assessments.
Neither Experian’s nor T-Mobile’s consumer credit database were compromised in the breach.
“Their systems were vulnerable to a massive data breach, and the personal identifying information for millions of Americans was put at risk,” said Shapiro.
As part of the $12.67 million settlement, Experian has agreed to strengthen its due diligence and data security practices going forward. This includes:
- Prohibition against misrepresentations to its clients regarding the extent to which Experian protects the privacy and security of personal information;
- Implementation of a comprehensive Information Security Program, incorporating zero-trust principles, regular executive-level reporting, and enhanced employee training;
- Due diligence provisions requiring the company to properly vet acquisitions and evaluate data security concerns prior to integration;
- Data minimization and disposal requirements, including specific efforts aimed at reducing the use of Social Security numbers as identifiers; and
- Specific security requirements, including with respect to encryption, segmentation, patch management, intrusion detection, firewalls, access controls, logging and monitoring, penetration testing, and risk assessments.
The settlement also requires Experian to offer 5 years of free credit monitoring services to affected consumers, as well as two free copies of their credit reports annually during that time frame.
Additionally, consumers who were class members of the 2019 class action settlement are still eligible to enroll in these extended credit monitoring services.
Affected consumers can enroll in the five-year extended credit monitoring services. The enrollment window will remain open for six months.
In a separate $2.43 million settlement, T-Mobile has agreed to detailed vendor management provisions designed to strengthen its vendor oversight going forward. Those include:
- Implementation of a Vendor Risk Management Program;
- Maintenance of a T-Mobile vendor contract inventory, including vendor risk ratings based on the nature and type of information that the vendor receives or maintains;
- Imposition of contractual data security requirements on T-Mobile’s vendors and sub-vendors, including related to segmentation, passwords, encryption keys, and patching;
- Establishment of vendor assessment and monitoring mechanisms; and
- Appropriate action in response to vendor non-compliance, up to contract termination.
The settlement with T-Mobile does not concern the unrelated, massive data breach announced by the company in August 2021, which is still under investigation by a multistate coalition of Attorneys General.