Connect with us

Hi, what are you looking for?



US States Announce $16M Settlement With Experian, T-Mobile Over Data Breaches

Authorities in 40 US states have reached a settlement totaling more than $16 million with Experian and T-Mobile over data breaches suffered by the companies in 2012 and 2015.

Authorities in 40 US states have reached a settlement totaling more than $16 million with Experian and T-Mobile over data breaches suffered by the companies in 2012 and 2015.

The multi-state settlement with Experian totals more than $13.67 million and the settlement with T-Mobile is for $2.5 million. In addition, each company has agreed to take steps to improve their data security practices.

The attorneys general in several states published press releases on Monday announcing how much they will each receive from these settlements. Hawaii, for instance, is getting roughly $180,000, Massachusetts will receive over $625,000, New Jersey $500,000, Pennsylvania $460,000, Michigan $360,000, and Nebraska will get $140,000.

The settlement is related to two cybersecurity incidents. The first incident came to light in 2012, when the Secret Service alerted an Experian subsidiary that an identity thief posing as a private investigator was abusing the company’s services to obtain sensitive personal information. The incident involved more than three million queries seeking personal information.

The identity thief was caught and prosecuted, but authorities were unhappy that Experian never notified impacted individuals of the breach.

Then, in 2015, Experian disclosed an incident in which a hacker had accessed a network segment storing information of 15 million T-Mobile customers — Experian stored T-Mobile customer data because the mobile carrier was using it to process customer credit applications.

Experian at the time did notify affected customers and offered them two years of free credit monitoring services, but authorities decided to take action against the credit reporting firm over its poor cybersecurity practices.

Advertisement. Scroll to continue reading.

As part of the settlement announced this week, Experian will need to implement a comprehensive information security program and take other steps to prevent such incidents from occurring in the future.

It will also be required to offer impacted consumers five years of free credit monitoring services, in addition to the two years offered in 2015 and the two years that were offered as a result of a class action settlement in 2019.

As for T-Mobile, the company is required to strengthen third-party oversight to ensure that vendors handling its customers’ data can protect the sensitive information they are entrusted with.

Related: SolarWinds Agrees to Pay $26 Million to Settle Shareholder Lawsuit Over Data Breach

Related: Cosmetics Giant Sephora Settles Customer Data Privacy Suit

Related: Accellion Reaches $8.1 Million Settlement Over FTA Data Breach

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.