New HampshireDepartment of JusticeOffice of the Attorney General

News Release

For Immediate Release
November 7, 2022

Contact:
Michael S. Garrity, Director of Communications
michael.s.garrity@doj.nh.gov | (603) 931-9375

Alexandra C. Sosnowski, Assistant Attorney General
Consumer Protection and Antitrust Bureau
Alexandra.C.Sosnowski@doj.nh.gov | (603) 271-2678

New Hampshire joins combined $15 Million Multistate Settlements over 2015 Experian Data Breach; Experian and T-Mobile Agree to Improve Data Protection Practices

Concord, NH – Attorney General John M. Formella announced today that New Hampshire, along with 39 other attorneys general, has obtained two multistate settlements with Experian Information Solutions, Inc. ("Experian) and T-Mobile USA, Inc. ("T-Mobile") concerning a 2015 data breach experienced by Experian that compromised the personal information of more than 15 million individuals who submitted credit applications with T-Mobile.

Under the settlements, the companies have agreed to improve their data security practices and to pay the states a combined amount of more than $15 million. New Hampshire will receive a total of $129,429.46 from the settlements. This data breach impacted 21,058 New Hampshire residents.

"It is critical for companies to protect the personal information of New Hampshire consumers," said Attorney General Formella. "This settlement includes important due diligence provisions and data security enhancements to protect consumers moving forward. We encourage affected Granite Staters to enroll in the free credit monitoring services being offered through this settlement."

In September 2015, Experian, one of the big-three credit reporting bureaus, reported it had experienced a data breach in which an unauthorized actor gained access to part of Experian's network storing personal information on behalf of its client, T-Mobile. The breach involved information associated with consumers who had applied for T-Mobile postpaid services and device financing between September 2013 and September 2015, including names, addresses, dates of birth, Social Security numbers, identification numbers (such as driver's license and passport numbers), and related information used in T-Mobile's own credit assessments. Neither Experian's consumer credit database, nor T-Mobile's own systems, were compromised in the breach.

The multistate coalition obtained separate settlements from Experian and T-Mobile in connection with the 2015 data breach. Under a $12.67 million settlement, Experian has agreed to strengthen its due diligence and data security practices going forward. Those include:

  • Prohibition against misrepresentations to its clients regarding the extent to which Experian protects the privacy and security of personal information;
  • Implementation of a comprehensive Information Security Program, incorporating zero-trust principles, regular executive-level reporting, and enhanced employee training;
  • Due diligence provisions requiring the company to properly vet acquisitions and evaluate data security concerns prior to integration;
  • Data minimization and disposal requirements, including specific efforts aimed at reducing use of Social Security numbers as identifiers; and
  • Specific security requirements, including with respect to encryption, segmentation, patch management, intrusion detection, firewalls, access controls, logging and monitoring, penetration testing, and risk assessments.

The settlement also requires Experian to offer 5 years of free credit monitoring services to affected consumers, as well as two free copies of their credit reports annually during that timeframe. This is in addition to the four years of credit monitoring services already offered to affected consumers— two of which were offered by Experian in the wake of the breach, and two that were secured through a separate 2019 class action settlement. The deadlines to enroll in these prior offerings have since passed.

If you were a class member in the 2019 class action settlement, you are eligible to enroll in these extended credit monitoring services. Affected consumers can enroll in the 5-year extended credit monitoring services and find more information on eligibility here. The enrollment window will remain open for 6 months.

In a separate $2.43 million settlement, T-Mobile has agreed to detailed vendor management provisions designed to strengthen its vendor oversight going forward. Those include:

  • Implementation of a Vendor Risk Management Program;
  • Maintenance of a T-Mobile vendor contract inventory, including vendor criticality ratings based on the nature and type of information that the vendor receives or maintains;
  • Imposition of contractual data security requirements on T-Mobile's vendors and sub-vendors, including related to segmentation, passwords, encryption keys, and patching;
  • Establishment of vendor assessment and monitoring mechanisms; and
  • Appropriate action in response to vendor non-compliance, up to contract termination.

The settlement with T-Mobile does not concern the unrelated, massive data breach announced by T-Mobile in August 2021, which is still under investigation by a multistate coalition of Attorneys General co-led by Connecticut. New Hampshire is part of this multistate investigation.

New Hampshire Department of Justice
33 Capitol Street | Concord, NH | 03301
Telephone: 603-271-3658