HARRISBURG, Pa. (WHTM) — On Monday, Attorney General Josh Shapiro announced that Pennsylvania, along with a coalition of other attorneys general, obtained two multi-state settlements with Experian — a major credit reporting bureau — as well as a settlement with T-Mobile related to data breaches.

The Experian settlements concerned data breaches in 2012 and 2015 that compromised the personal information of over 484,000 Pennsylvanians, according to a release from Shapiro’s office. The additional settlement with T-Mobile related to the 2015 Experian breach, which impacted Pennsylvania consumers who submitted credit applications with T-Mobile, the release said.

Under the settlements, the companies agreed to improve their data security practices and pay the states a combined amount of more than $16 million, according to the release. Pennsylvania will receive $464,000 from the settlements, Shapiro’s office said.

“Experian and T-Mobile failed in their responsibility to safeguard consumers’ personal information. Their systems were vulnerable to a massive data breach, and the personal identifying information for millions of Americans was put at risk. This settlement ensures that Experian & T-Mobile must do the right thing and fix the security failures that led to a preventable data breach,” Shapiro said in the release.

In September 2015, Experian said it had experienced a data breach in which an unauthorized person gained access to part of Experian’s network that stored personal information including names, addresses, birthdays, social security numbers, and other identification numbers on behalf of its client, T-Mobile, according to the release.

T-Mobile used the information in its credit assessments, the release said, and it was associated with consumers who had applied for T-Mobile postpaid services and device financing between September 2013 and September 2015.

Neither Experian’s consumer credit database nor T-Mobile’s systems were compromised in the breach, according to the release.

A 40-state group obtained separate settlements from Experian and T-Mobile in relation to the 2015 data breach. As part of the settlement, the release said, Experian agreed to strengthen its due diligence and data security practices in the following ways:

  • Prohibiting misrepresentations to its clients regarding the extent to which Experian protects the privacy and security of personal information
  • Implementing a comprehensive information security program, incorporating zero-trust principles, regular executive-level reporting, and enhanced employee training
  • Due diligence provisions requiring the company to properly vet acquisitions and evaluate data security concerns before integration
  • Data minimization and disposal requirements including specific efforts aimed at reducing the use of social security numbers as identifiers
  • Security requirements related to encryption, segmentation, patch management, intrusion detection, firewalls, access controls, logging and monitoring, penetration testing, and risk assessments

The settlement also requires Experian to offer five years of free credit monitoring services to affected customers as well as two free copies of their credit reports annually during that time frame, according to Shapiro’s office.

In a separate settlement, T-Mobile agreed to detailed vendor management provisions to strengthen its vendor oversight in the future, the release explained. According to the attorney general’s office, those provisions include:

  • Maintenance of a T-Mobile vendor contract inventory, including vendor risk ratings based on the nature and type of information the vendor receives or maintains
  • Imposition of contractual data security requirements on T-Mobile’s vendors and sub-vendors
  • Establishment of vendor assessment and monitoring mechanisms
  • Action in response to vendor non-compliance, up to contract termination

This settlement is unrelated to the data breach announced by T-Mobile in August 2021, which is still under investigation by attorneys general from multiple states, the release noted.

Experian agreed to pay an additional $1 million to resolve a separate investigation into another Experian-owned company, Experian Data Corp., in relation to its failure to prevent and provide notice of a 2012 data breach, Shapiro’s office said. In that instance, an identity thief posing as a private investigator was granted access to personal information stored in the company’s commercial databases, according to the release.