A coalition of 40 U.S. state attorneys general has reached separate settlements with Experian and T-Mobile totaling over $16 million following data breaches in 2012 and 2015 that compromised the personal information of millions of consumers nationwide.  

According to the terms of the settlements, Experian, one of the big-three credit reporting agencies, will bear a $13.67 million fine for security incidents in 2012 and 2015. T-Mobile will pay $2.43 million for the settlement in connection with the 2015 Experian breach. Both companies have agreed to take steps to improve their security measures.  

In 2012, a data breach at Experian was revealed following the U.S. Secret Service’s alert that one of the customers at Experian-owned company Court Ventures was an identity thief who posed as a private investigator and obtained consumers’ sensitive personal information. The individual has since pleaded guilty to wire fraud, identity fraud, access device, and computer fraud and abuse, among other charges.  

Experian did not notify affected consumers of the incident.  

In 2015, Experian reported another data breach. This time, the hacker compromised a part of Experian’s network where its client, T-Mobile, stored its customer information. The attack affected over 15 million T-Mobile customers who submitted credit applications with the telecommunications company between September 2013 and September 2015.  

In this case, T-Mobile and Experian notified customers after the breach, with Experian providing two-year credit monitoring services to consumers following the attack.  

Monday’s settlement resolves the allegations that Experian’s security measures violated state consumer protection laws and breach notification laws. Under terms of the Experian settlements, the company is required to improve security practices, including releasing a comprehensive data breach notification plan and developing an identity theft prevention program to spot potential red flags in customers’ accounts.  

In addition, Experian is required to provide an additional five-years of free credit monitoring services to affected consumers on top of the two-year services it previously offered following the 2015 breach.  

In the separate $2.43 million settlement with T-Mobile, the telecommunications company agreed to improve its vendor management oversight, such as listing specific security requirements in its contracts.

Despite the required efforts to address the threat landscape, both companies have experienced breaches after the 2015 incident.  

In 2020, Experian disclosed the data breach in which they handed over their South African customers’ personal information to a fraudulent client. The incident affected around 24 million individuals and 793,000 local businesses.  

Last year, T-Mobile was hit again, with 77 million customers’ personal information being compromised. The company agreed to pay $350 million for the settlement and spend an additional $150 million to upgrade the security system.