BOSTON — Attorney General Maura Healey today announced multistate settlements with Experian, totaling over $13.67 million, concerning data breaches in 2012 and 2015 that compromised the personal information of millions of consumers nationwide. A $2.5 million multistate settlement was also reached with T-Mobile in connection with the 2015 Experian breach, which impacted more than 15 million individuals who submitted credit applications with the telecommunications company.
Under the terms of the settlements, Experian, one of the big-three credit reporting agencies, and T-Mobile have agreed to improve their data security practices and pay the states a combined amount of more than $16 million. Massachusetts will receive over $625,000 from the settlements.
“Ensuring the security and privacy of Massachusetts consumers is a top priority and we take data breaches and their potential risks seriously,” said AG Healey. “I am pleased to join my colleagues today in holding these companies accountable for their failures to protect the sensitive information of our residents.”
In 2012, the U.S. Secret Service alerted Experian Data Corp., a subsidiary of Experian, to the existence of an identity thief who was posing as a private investigator and retrieving sensitive personal information, potentially including names, Social Security numbers, addresses, and/or phone numbers from Court Ventures Inc., a database company that Experian Data Corp. had purchased. The thief had begun accessing information from the Court Ventures, Inc. database before Experian Data Corp purchased the company and continued to do so afterwards. Experian Data Corp. never notified affected consumers of the data breach.
Since that time, the identity thief has pleaded guilty to federal criminal charges for wire fraud, identity fraud, access device fraud, and computer fraud and abuse, among other charges.
In September 2015, Experian also reported it had experienced a data breach in which a hacker gained access to a part of Experian’s network storing personal information on behalf of its client, T-Mobile. The breach involved the personal information of consumers – including more than 280,000 Massachusetts residents – who had applied for T-Mobile postpaid services and device financing between September 2013 and September 2015, including names, addresses, dates of birth, Social Security numbers, identification numbers (such as driver’s license and passport numbers), and related information used in T-Mobile’s own credit assessments. Experian offered two years of credit monitoring services to consumers following the breach.
The attorneys general reached separate settlements with Experian and T-Mobile in connection with the data breaches. Today’s settlements resolve claims that the company’s data security practices were in violation of state consumer protection laws and breach notification laws, including Massachusetts Data Security Regulations.
Under the terms of the settlements, Experian will pay a total of $13.67 million in connection with the 2012 and 2015 data breaches and has agreed to strengthen its data security practices going forward. Terms of the Experian settlements also require the company to:
- Maintain a comprehensive incident response and data breach notification plan;
- Strengthen its vetting and oversight of third parties that it allows to access personal information
- Develop an Identity Theft Prevention Program to detect potential red flags in its customer’s accounts
- Not misrepresent to its clients the extent to which Experian protects the privacy and security of personal information;
- Strengthen due diligence provisions requiring the company to properly vet acquisitions and evaluate data security concerns prior to integration; and
- Data minimization and disposal requirements, including specific efforts aimed at reducing use of Social Security numbers as identifiers.
Experian will also be required to offer five years of free credit monitoring services to affected consumers, as well as two free copies of their credit reports annually during that timeframe. This is in addition to the four years of credit monitoring services already offered to affected consumers — two of which were offered by Experian in the wake of the 2015 breach, and two that were secured through a separate 2019 class action settlement. Affected consumers can enroll in the five-year extended credit monitoring services and find more information on eligibility here.
In a separate $2.43 million settlement, T-Mobile has agreed to vendor management provisions designed to strengthen its vendor oversight going forward including implementing a program to oversee vendors’ security, such as specific contractual security requirements in its contracts like encryption, passwords or patching, and taking action against vendor non-compliance.
AG Healey co-led the multistate investigation into the 2012 data breach, along with Illinois Attorney General Kwame Raoul and with assistance from the attorneys general of Connecticut, Indiana, Maryland, New Jersey, North Carolina, Texas, and Vermont. The AG’s Office also assisted in the multistate investigation into the 2015 data breach, which was co-led by the attorneys general of Connecticut, District of Columbia, Illinois, and Maryland, and was also assisted by Texas.
This case was handled for Massachusetts by Division Chief Jared Rinehimer, of the AG’s Data Privacy and Security Division.
Source: Massachusetts Attorney General Maura Healey
For some more background on the US Info Search/Court Ventures/Experian breach, see this post and Brian Krebs’ reporting on the breach.