Illinois Attorney General Kwame Raoul announced national settlements with Experian relating to data breaches in 2010 and 2015 that compromised the personal information of millions of consumers nationwide, including hundreds of thousands in Illinois.
Article continues below
Raoul and the coalition also obtained a separate settlement with T-Mobile in connection with the 2015 Experian breach, which impacted more than 15 million individuals who submitted credit applications with the telecommunications company.
Illinois was one of the states to lead an investigation into Experian’s 2015 data breach, which impacted more than 735,000 Illinois residents.
Under the settlements Raoul announced, Experian and T-Mobile have agreed to improve their data security practices and pay states more than $16 million. Additionally, Illinois will receive a total of more than $1.2 million.
“Hundreds of thousands of Illinoisans were affected by Experian’s data breaches,” Raoul said.
“Our investigations not only led to substantial financial settlements but also meaningful reforms in the way data is handled, protecting consumers from future exposure and ensuring companies are working to limit the effect of large data breaches.”
In September 2015, Experian, one of the “big-three” credit reporting bureaus, reported a data breach in which an unauthorized actor gained access to part of Experian’s network.
The breach involved personal information Experian stored on behalf of its client, T-Mobile, which belonged to consumers who had applied for T-Mobile postpaid services and device financing between September 2013 and September 2015.
Information included consumers’ names, addresses, dates of birth, Social Security numbers, identification numbers (such as driver’s license and passport numbers) and related information T-Mobile used in credit assessments.
Raoul and the coalition obtained two separate settlements from Experian and T-Mobile in connection with the 2015 data breach. Under a $12.67 million national settlement, Experian has agreed to strengthen its due diligence and data security practices going forward, including by implementing a comprehensive information security program.
Experian will also enact data minimization and disposal requirements, including specific efforts aimed at reducing the use of Social Security numbers as identifiers; and specific security requirements, including the use of intrusion detection, firewalls and risk assessments. Illinois will receive $1.04 million.
The settlement also requires Experian to offer affected consumers five years of free credit monitoring services as well as two free copies of their credit reports annually during the timeframe.
Raoul and the coalition also obtained a $2.43 million settlement with T-Mobile. Under the settlement, T-Mobile has agreed to detailed vendor management provisions designed to strengthen its vendor oversight going forward.
Illinois will receive around $204,000. The settlement does not involve an unrelated, massive data breach T-Mobile announced in August 2021, which is still under investigation by Attorney General Raoul and a multistate coalition of attorneys general.
Joining Raoul in leading the investigation into the 2015 data breach are the attorneys general of Connecticut, the District of Columbia, Maryland, Massachusetts and Texas.
Joining in the settlements are the attorneys general of Arizona, Arkansas, Delaware, Florida, Georgia, Hawaii, Idaho, Indiana, Iowa, Kansas, Kentucky, Louisiana, Maine, Michigan, Minnesota, Mississippi, Missouri, Montana, Nebraska, Nevada, New Hampshire, New Jersey, New York, North Dakota, Ohio, Oklahoma, Oregon, Pennsylvania, Rhode Island, Tennessee, Vermont, Virginia, Washington and Wisconsin.
In addition to the 2015 data breach settlements, Experian has agreed to pay an additional $1 million to resolve a separate multistate investigation into Experian Data Corp. (EDC), an Experian-owned company.
The settlement resolves an investigation into EDC’s failure to prevent or provide notice of a data breach that occurred between October 2010 and November 2012.
During that time, an identity thief posing as a private investigator was given access to sensitive personal information stored in Court Ventures Inc.’s commercial databases, which was acquired by EDC in 2012.
Under the settlement, entered into by Illinois and a bipartisan group of 39 states, EDC has agreed to strengthen its vetting and oversight of third parties to which it provides personal information, investigate and report data security incidents to attorneys general, and maintain a “red flags” program to detect and respond to potential identity theft. ■