LITTLE ROCK, Ark. (KNWA/KFTA) — Arkansas Attorney General Leslie Rutledge announced Arkansas and other states received two multistate settlements with Experian related to data breaches it experienced in 2012 and 2015.

According to a press release from the attorney general’s office, the breaches compromised the personal information of millions of consumers nationwide.

The coalition of states also received a separate settlement with T-mobile in connection with the 2015 Experian breach, according to the release, which impacted more than 15 million people who submitted credit applications with T-Mobile.

Under the settlements, the companies have agreed to improve their data security practices and to pay the states a combined amount of more than $16 million, according to the release.

The release says Arkansas will receive a total of $139,146.62 from the settlements.

“Con artists will stop at nothing to exploit our personal information for their gain. Unfortunately, consumers who were harmed by the data breaches in 2012 and 2015 are still dealing with the fallout,” Rutledge said. “As con artists continue to look for ways to gain access to our personal information, my office will continue to educate and enforce the laws that protect consumers and their hard-earned money.”

The release says in September 2015, Experian reported it experienced a data breach. An unauthorized actor gained access to part of Experian’s network that was storing personal information on behalf of its client, T-Mobile.

The release says the breach involved information associated with consumers who applied for T-Mobile postpaid services and device financing between September 2013 and September 2015 including names, addresses, dates of birth, Social Security numbers, identification numbers like driver’s license and passport numbers and related information used in T-Mobile’s own credit assessments.

According to the release, 3,585 Arkansas residents were affected by the 2015 breach. Neither Experian’s consumer credit database nor T-Mobile’s own systems were compromised in the breach.

The release says a 40 states have obtained separate settlements from Experian and T-Mobile in connection with the 2015 data breach.

According to the release, under a $12.67 million settlement, Experian agreed to strengthen its practices going forward.

The release says the company agreed to:

  1. Prohibition against misrepresentations to its clients regarding the extent to which Experian protects the privacy and security of personal information;
  2. Implementation of a comprehensive Information Security Program, incorporating zero-trust principles, regular executive-level reporting and enhanced employee training;
  3. Due diligence provisions requiring the company to properly vet acquisitions and evaluate data security concerns prior to integration;
  4. Data minimization and disposal requirements, including specific efforts aimed at reducing use of Social Security numbers as identifiers; and
  5. Specific security requirements, including respect to encryption, segmentation, patch management, intrusion detection, firewalls, access controls, logging and monitoring, penetration testing, and risk assessments.

The settlement also requires Experian to offer five years of free credit monitoring services to affected consumers, as well as two free copies of their credit reports annually during that timeframe, according to the release.

This is in addition to the four years of credit monitoring services already offered to affected consumers — two of which were offered by Experian in the wake of the breach, and two that were secured through a separate 2019 class action settlement, according to the release. The deadlines to enroll in these prior offerings have since passed.

The release says in a separate $2.43 million settlement, T-Mobile agreed to detailed vendor management provisions designed to strengthen its vendor oversight going forward which include:

  1. Implementation of a vendor risk management program;
  2. Maintenance of a T-Mobile vendor contract inventory, including vendor criticality ratings based on the nature and type of information that the vendor receives or maintains;
  3. Imposition of contractual data security requirements on T-Mobile’s vendors and sub-vendors, including related to segmentation, passwords, encryption keys, and patching;
  4. Establishment of vendor assessment and monitoring mechanisms; and
  5. Appropriate action in response to vendor non-compliance, up to contract termination.

According to the release, the settlement with T-Mobile does not concern the unrelated data breach announced by T-Mobile in August 2021.

The release says Experian has agreed to pay an additional $1 million concurrently with the 2015 data breach settlements to resolve a separate multistate investigation into another Experian-owned company, Experian Data Corp., in connection with EDC’s failure to prevent or provide notice of a 2012 data breach.

According to the release, under that resolution, entered into by a separate group of 40 states, EDC agreed to strengthen its vetting and oversight of third parties that it provides personal information, investigate and report data security incidents to the attorneys general, and maintain a “red flags” program to detect and respond to potential identity theft.