LINCOLN, Neb. (Press Release) Attorney General Doug Peterson announced Monday that Nebraska, along with a coalition of other attorneys general, has settled two multi-state settlements with Experian over data breaches in 2012 and 2015 that compromised the personal information of millions of people. has achieved consumers across the country.
The alliance is also dealing with T-Mobile over the Experian breach in 2015, which affected more than 15 million people who applied for credit with T-Mobile. According to the settlements, the companies agreed to improve their data security practices and pay the states a total of more than $16 million. Nebraska receives a total of $139,279 from settlements.
In September 2015, Experian, one of three credit reporting bureaus, reported experiencing a data breach in which an unauthorized actor accessed the portion of Experian’s network that stores personal information on behalf of its customer T-Mobile. has found Breach of information related to consumers who applied for T-Mobile after-sales service and device financing between September 2013 and September 2015, including names, addresses, dates of birth, social security numbers, identification numbers (such as driver’s license and passport numbers) consisted of , and related information used in T-Mobile’s own credit evaluation. 4,790 Nebraska residents were affected by the 2015 breach. Neither Experian’s consumer credit database nor T-Mobile’s own systems were affected in the breach.
A 40-state multi-state group has obtained separate counts of Experian and T-Mobile in connection with the 2015 data breach. As part of a $12.67 million settlement, Experian agreed to improve its practices and data security in the future. These include:
- Prohibit false representations to our customers about how well Experian protects the privacy and security of personal information;
- Implement a comprehensive information security program that includes zero-trust principles, regular reporting at the executive level, and improved employee training;
- Due diligence provisions requiring the company to properly conduct acquisitions and assess data security concerns prior to integration;
- Data reduction and data destruction requirements, including specific efforts to reduce the use of social security numbers as identifiers; and
- Specific security requirements, including those related to encryption, segmentation, patch management, intrusion detection, firewalls, access control, logging and monitoring, penetration testing, and risk assessment.
The report also requires Experian to provide affected consumers with five years of free credit monitoring services, as well as two free copies of their credit reports each year during that period. This is in addition to other credit monitoring services that may already be offered to affected consumers.
Affected consumers can sign up for a 5-year credit monitoring service and find out more about eligibility Here. The registration window remains open for six months.
In a separate $2.43 million settlement, T-Mobile agreed to detailed vendor management provisions designed to strengthen future vendor controls. These include:
- Implementing a vendor risk management program;
- Maintaining T-Mobile’s vendor contract inventory, including vendor criticality ratings based on the nature and type of information that vendor receives or maintains;
- Imposing contractual data security requirements on T-Mobile vendors and sub-vendors, including those related to segmentation, passwords, encryption keys, and patching;
- Establishment of mechanisms for assessment and monitoring of sellers; and
- Appropriate action in response to the seller’s non-compliance, up to and including termination of the contract.
Billing with T-Mobile no focused on the massive data breach announced by T-Mobile in August 2021, which is still under investigation by a multi-state coalition of attorneys general led by Connecticut.
Concurrent with the 2015 data breach settlement, Experian agreed to settle a separate multi-state investigation into another Experian company, Experian Data Corp. (“EDC”) to pay an additional $1 million in connection with EDC’s failure to prevent or provide notice. data breach in 2012, which occurred when an identity thief posing as a private investigator was given access to confidential personal information stored in EDC’s commercial database. Under the resolution, signed by a separate group of 40 states, the EDC agreed to step up inspections and oversight of third parties that provide personal information, investigate and report data security incidents to attorneys general, and “Red Flags” — to keep program to detect and respond to potential identity theft.
Copyright 2022 KSNB. All rights reserved.