Skip to main content

Vermont Joins Three Multistate Settlements Over Experian Data Breaches

December 10, 2022

Experian and T-Mobile agree to improve data protection practices

Vermont recently joined three multistate settlements involving Experian data breaches that occurred in 2012 and 2015. The breaches compromised the personal information of millions of consumers nationwide, including 2,133 Vermont consumers who had applied for T-Mobile postpaid services and device financing between September 2013 and September 2015.

Experian has agreed to offer five years of free credit monitoring services to consumers affected by the breach in addition to the four years of credit services it agreed to provide in 2019. Individuals who were eligible to be a member of the 2019 class action settlement, are encouraged to enroll in these extended credit monitoring services. More information on eligibility and enrolment can be found here: www.tmobileapplicant2015eisdatabreachsettlement.com. The enrollment window will remain open for 6 months, ending on May 6, 2023.

The settlements also requires Experian and T-Mobile to improve their data security practices and to pay the states a combined amount of more than $16 million. Vermont will receive $155,652.

In a second settlement, Experian agreed to pay an additional $1 million to the multistate coalition to resolve a separate multistate investigation into a breach by a related company, Experian Data Corp. (EDC). EDC failed to prevent or provide notice of a 2012 data breach that occurred when an identity thief posed as a private investigator and gained access to sensitive personal information stored in EDC’s commercial databases. Under this resolution, EDC has agreed to strengthen its vetting and oversight of third parties who have access to personal information, investigate and report data security incidents and to maintain a “Red Flags” program to detect and respond to potential identity theft.

Finally, T-Mobile agreed to pay $2.43 million to the multistate coalition and to strengthen its vendor oversight going forward, by implementing a vendor risk management program that will require an inventory of its vendor contracts, to require its vendors to provide adequate data security, and assess and monitor its vendors compliance with those contract terms.

A separate multistate investigation in a data breach announced by T-Mobile in August 2021 is ongoing.

For additional details about these settlements and about identity theft generally, contact the Consumer Assistance Program by calling 1-800-649-2424 or visiting www.ago.vermont.gov/cap.

Copies of the settlements are linked below: