Kimberly Redmond//November 8, 2022//
Kimberly Redmond//November 8, 2022//
New Jersey will receive $500,000 as part of a multistate settlement with credit reporting agency Experian over data breaches that compromised the personal information of millions of consumers nationwide, according to Attorney General Matthew Platkin.
The first agreement stems from a T-Mobile breach in 2015 that impacted 15 million customers – including 489,789 New Jersey residents – who submitted credit applications to the wireless provider via Experian, Platkin said in a Nov. 7 press release.
During the breach, an unauthorized actor gained access to part of Experian’s network storing personal information – such as names, addresses and Social Security numbers – on behalf of its client, T-Mobile, potentially by using a known application vulnerability, according to Platkin.
After gaining access to the system, the intruder tapped into the T-Mobile database on the Experian server, resulting in the compromise of consumer data on millions of individuals who applied for T-Mobile postpaid services and device financing between September 2013 and September 2015.
As part of the settlement, Experian and T-Mobile agreed to improve their data security practices and to pay 40 states a combined amount of more than $16 million.
Experian is also required to offer five years of free credit monitoring services to affected consumers. This is in addition to the four years of credit monitoring services already offered to affected consumers — two of which were offered by the company in the wake of the breach, and two that were secured through a separate 2019 class action settlement, according to Platkin.
Meanwhile, T-Mobile agreed to detailed vendor management provisions designed to strengthen its vendor oversight going forward, according to the attorney general.
Concurrently with the 2015 data breach settlement, Experian has agreed to pay an additional $1 million to resolve a separate multistate investigation into another Experian-owned company, Experian Data Corp. (EDC), in connection with its alleged failure to prevent or provide notice of a 2012 data breach that occurred when an identity thief posing as a private investigator was given access to sensitive personal information stored in commercial databases, the attorney general said.
Since that time, the individual has pleaded guilty to federal criminal charges for wire fraud, identity fraud, access device fraud, and computer fraud and abuse, among other charges, according to Platkin.
New Jersey Division of Consumer Affairs acting Director Cari Fais said, “Institutions that require customers to divulge important personal information in order to receive essential services have an obligation to store that information responsibly.
“The cost of not doing so can be enormous both for the victims whose information is improperly taken and used, and for the entities that dropped the ball when it came to preserving their customers’ privacy,” Fais stated.
“Consumers entrusted these companies with a wealth of important information about themselves, but the companies failed to properly store, safeguard, or dispose of it,” said Platkin. “With cybersecurity threats continuing to put both public and private entities at risk, we are sending a clear message that businesses must make it a priority to be aware of emerging threats, identify and rectify their own technological vulnerabilities, and handle their customers’ private information with the utmost care.”