Keystone Today

Last week Attorney General Josh Shapiro announced that Pennsylvania, as well as a group of other AGs, has come to two multi-state settlements with Experian regarding data breaches that occurred in 2012 and 2015.

According to the November 7 release, this compromised the personal information of 484,147 residents of Pennsylvania. Another settlement was also reached with T-Mobile that was connected with the 2015 breach, which impacted more than 400,000 Pennsylvania consumers that submitted credit applications with T-Mobile. Through the settlements, the companies agreed to improve data security measures and pay the state more than $16 million combined. Pennsylvania is receiving $464,000 from the settlements.

“These data breaches will keep happening until we force change in corporate behavior,” said AG Shapiro. “Experian and T-Mobile failed in their responsibility to safeguard consumers’ personal information. Their systems were vulnerable to a massive data breach, and the personal identifying information of millions of Americans was put at risk. This settlement ensures that Experian & T-Mobile must do the right thing and fix the security failures that led to a preventable data breach.”

Experian is one of the three major credit reporting bureaus, and in September 2015 the company reported a data breach where an unauthorized actor accessed the network where personal information was stored on behalf of T-Mobile. The breach involved information associated with consumers that applied for postpaid services through T-Mobile, as well as device financing between identification numbers. This includes driver’s licenses and passport numbers. Experian’s consumer credit database and T-Mobile systems were not compromised.

A 40-state multi-state group obtained separate settlements from Experian and T-Mobile. Part of a $12.67 million settlement includes Experian agreeing to strengthen its due diligence and data security practices.

The settlement also requires Experian to offer five years of free credit monitoring services to those who were affected. It also requires two free copies of their credit reports annually over five years. Any class members in the 2019 class action settlement are eligible to enroll in the extended credit monitoring services. Consumers who were affected can enroll for the next six months.

T-Mobile has also agreed to vendor management provisions to strengthen vendor oversight. This is through the implementation of a Vendor Risk Management Program; maintenance of a T-Mobile vendor contract inventory; establishing vendor assessment and monitoring mechanisms and imposition of contractual data security requirements for T-Mobile vendors and sub-vendors.

Experian also agreed to pay $1 million to resolve another multistage investigation into Experian Data Corp.