Experian and T-Mobile have reached separate settlements with 40 US states following a pair of data breaches in 2012 and 2015. The settlement will net authorities $16 million, along with assurances it won’t happen again.
Experian will be bearing the largest brunt of the fine, with $14 million coming from the credit reporting company.
Led by attorneys general from Massachusetts and Illinois, the settlements stem from a pair of data breaches at Experian in 2012 and 2015, the latter of which T-Mobile was caught up in.
The 2012 breach at Experian were revealed following a notification to the US Secret Service. Experian bought a company called Court Ventures, Inc., and all of its customers, one of whom was an identity thief. That crook has since plead guilty to wire fraud, identity fraud and other crimes, including falsely representing himself as a private investigator to gain access to Experian systems.
All the data collected by that single intruder was handed to other nefarious parties, who made over 3 million queries for personal information against data owned by CVI and Experian.
Experian gave no notice to affected consumers or state authorities regarding the incident.
In 2015, the consumer credit reporting company was hit again. This time the attacker managed to gain access to a portion of Experian’s network where T-Mobile stored data used to process customer applications. As a result of that attack, the data of 15 million people – including Social Security numbers, other ID numbers, name, address and birthdate – was stolen.
T-Mobile and Experian notified customers of that attack, and Experian offered free credit reporting services, as is usually the case when a large company has that volume of personally identifiable information stolen.
Wrist, meet slap
Along with startlingly small financial penalties, Experian is being forced to provide an additional five free years of credit monitoring on top of two years it previously awarded in wake of the 2015 breach, as well as two free credit reports annually.
In addition, the credit bureau’s settlement included requirements that it maintain an incident response and data breach notification plan, develop an identity theft prevention program, and do proper due diligence in vetting people with access to data, including reassessing access after an acquisition.
Experian was also told not to “misrepresent to its clients the extent to which [it] protects the privacy and security of personal information.”
T-Mobile, meanwhile, was told to improve its vendor management oversight and develop a compliance program that ensures third parties with access to customer PII are storing it properly.
Whether either company has learned from those breaches is unclear, especially in light of subsequent incidents at both companies.
In 2020, Experian reported it had handed data including PII for 24 million South Africans to another individual who falsely representing themselves in order to gain access. Despite assurances that the data had been recovered and destroyed, it later showed up online.
Last year, T-Mobile was attacked again and 77 million customer records were stolen. T-Mobile paid out $550 million to settle that case. Startlingly, it’s T-Mobile’s fifth acknowledged breach in four years.
To put its latest $2.43 million fine in perspective, the Un-Carrier reported a net income of $508 million in Q3 of this year. Experian, facing $13.67 million in fines, made around $6.2 billion in FY 22 [PDF].
“I am pleased to join my colleagues today in holding these companies accountable for their failures to protect the sensitive information of our residents,” said Massachusetts AG Maura Healey. ®