NEW JERSEY — New Jersey will be receiving approximately $500,000 under the settlements of two multistate investigations into data breaches affecting Experian in 2012 and 2015 that compromised the personal information of millions of consumers nationwide, Attorney General Matthew J. Platkin announced Monday.
The multistate investigation of the 2015 Experian breach focused on alleged lax data security at Experian and poor vendor oversight by T-Mobile, which had contracted with Experian to run credit checks on potential T-Mobile customers. The breach impacted the sensitive personal information of more than 15 million people who submitted credit applications to T-Mobile.
Under the settlements with Experian and T-Mobile, the companies have agreed to improve their data security practices and to pay the states a combined amount of more than $16 million. New Jersey was among 40 states that obtained a separate settlement with T-Mobile stemming from the 2015 breach.
“Consumers entrusted these companies with a wealth of important information about themselves, but the companies failed to properly store, safeguard, or dispose of it,” Platkin said. “With cybersecurity threats continuing to put both public and private entities at risk, we are sending a clear message that businesses must make it a priority to be aware of emerging threats, identify and rectify their own technological vulnerabilities, and handle their customers’ private information with the utmost care.”
“Institutions that require customers to divulge important personal information in order to receive essential services have an obligation to store that information responsibly,” said Division of Consumer Affairs Acting Director Cari Fais. “The cost of not doing so can be enormous both for the victims whose information is improperly taken and used, and for the entities that dropped the ball when it came to preserving their customers’ privacy.”
During the 2015 breach, an unauthorized actor gained access to part of Experian’s network storing personal information on behalf of its client, T-Mobile, potentially by using a known application vulnerability.
After gaining access to the system in September 2015, the intruder accessed the T-Mobile database on the Experian server, resulting in the compromise of consumer data on millions of individuals who applied for T-Mobile postpaid services and device financing between September 2013 and September 2015— 489,789 of which were New Jersey residents.
The compromised data included names, addresses, dates of birth, Social Security numbers, and government ID numbers like drivers’ license numbers.
The state attorneys general allege that Experian failed to patch critical vulnerabilities, properly configure its web application firewall, and make other improvements to secure customers’ information. The states also allege T-Mobile’s vendor management practices contributed to the breach. The states contend that T-Mobile failed to review information security audits, instead relying on Experian’s unverified representations about data security and ignoring red flags.
In addition to providing monetary relief to the states, Experian has agreed to terms to strengthen its data security practices in the future. These terms include:
- Prohibition against misrepresentations to its clients regarding the extent to which Experian protects the privacy and security of personal information;
- Implementation of a comprehensive Information Security Program, incorporating zero-trust principles, regular executive-level reporting, and enhanced employee training;
- Due diligence provisions requiring the company to properly vet acquisitions and evaluate data security concerns prior to integration;
- Data minimization and disposal requirements, including specific efforts aimed at reducing use of Social Security numbers as identifiers; and
- Specific security requirements, including with respect to encryption, segmentation, patch management, intrusion detection, firewalls, access controls, logging and monitoring, penetration testing, and risk assessments.
The settlement also requires Experian to offer five years of free credit monitoring services to affected consumers, as well as two free copies of their credit reports annually during that timeframe. This is in addition to the four years of credit monitoring services already offered to affected consumers— two of which were offered by Experian in the wake of the breach, and two that were secured through a separate 2019 class action settlement. The deadlines to enroll in these prior offerings have since passed.
Affected consumers can enroll in the credit monitoring services and find more information on eligibility here. The enrollment window will remain open for 6 months.
Meanwhile T-Mobile has agreed to detailed vendor management provisions designed to strengthen its vendor oversight going forward.
The settlement with T-Mobile does not concern the unrelated data breach announced by T-Mobile in August 2021.
Concurrently with the 2015 data breach settlement, Experian has agreed to pay an additional $1 million to resolve a separate multistate investigation into another Experian-owned company—Experian Data Corp. (“EDC”)— in connection with EDC’s alleged failure to prevent or provide notice of a 2012 data breach that occurred when an identity thief posing as a private investigator was given access to sensitive personal information stored in EDC’s commercial databases.
Since that time, the individual has pleaded guilty to federal criminal charges for wire fraud, identity fraud, access device fraud, and computer fraud and abuse, among other charges.
Under this resolution, entered into by a separate group of 40 states including New Jersey, EDC has agreed to a series of provisions designed to strengthen its security and reporting practices, including:
- Strengthening its vetting and oversight of third parties that it allows to access personal information;
- Investigating and reporting data security incidents to the Attorneys General;
- Maintaining a “Red Flags” program to detect and respond to potential identity theft; and
- Implementing certain personal information safeguards and controls, including encryption or its equivalent for personal information on their network and in transit.