Ohio and 39 other states have reached two settlements with the credit-reporting agency Experian over data breaches in 2012 and 2015 that compromised the personal information of millions of consumers nationwide, Ohio Attorney General Dave Yost announced earlier this month.

“Safeguarding consumers’ personal information is a vital part of credit reporting,” Yost said. “This agency will now have to work overtime to rebuild the public’s trust.”

Separately, a settlement has been reached with T-Mobile stemming from the 2015 Experian data breach, which affected more than 15 million people who submitted credit applications to the telecommunications company.

As part of the trio of settlements, Experian, one of the “Big Three” national credit-reporting agencies, and T-Mobile have agreed to improve their data-security practices and to pay 40 states a combined $16.1 million, with most of that money coming from Experian.

Ohio will receive a total of $438,362.12 from the settlements.

In September 2015, Experian reported a data breach in which an unauthorized actor gained access to a part of its network that stored personal information on behalf of T-Mobile, one of its clients.

The breach involved data associated with consumers who had applied for T-Mobile services and device financing between September 2013 and September 2015, including names, addresses, dates of birth, Social Security numbers, identification numbers (such as driver’s license and passport numbers), and related data used in T-Mobile’s own credit assessments.  

More than 446,000 Ohio residents were affected.

Experian will pay $12.67 million to settle the case. In addition, the company has agreed to strengthen its data-security practices by:

• Not misrepresenting to its clients the extent to which Experian protects the privacy and security of personal information.

• Introducing a comprehensive Information Security Program, including regular executive-level reporting and enhanced employee training.

• Adopting due-diligence provisions, which means properly vetting acquisitions and evaluating data-security concerns prior to integration.

• Implementing data minimization and disposal requirements, including specific efforts aimed at reducing use of Social Security numbers as identifiers.

• Meeting specific security requirements regarding encryption, segmentation, patch management, intrusion detection, firewalls, access controls, logging and monitoring, penetration testing and risk assessments.

The settlement also requires Experian to offer five years of free credit-monitoring services to affected consumers, as well as two free copies of their credit reports annually during that time. Affected consumers can check eligibility to enroll in the five-year extended credit-monitoring services and find more information on eligibility here. The enrollment window will remain open for six months. (Anyone who was a class member in the private 2019 class action settlement is eligible to enroll in these extended credit-monitoring services.)

Under the separate settlement with T-Mobile, the company will pay $2.43 million and adopt detailed vendor management provisions designed to strengthen its vendor oversight of information and data security.

The settlement with T-Mobile is unrelated to the data breach announced in August 2021 by T-Mobile.

Experian has also agreed to pay an additional $1 million to resolve a separate multistate investigation into another Experian-owned company – Experian Data Corp. (EDC) – in connection with EDC’s failure to prevent or report a 2012 data breach.

The breach occurred when an identity thief posing as a private investigator was given access to sensitive personal information stored in the company commercial databases.

Under this settlement, entered into by a separate group of 40 states, EDC has agreed to strengthen its vetting and oversight of third parties to which it provides personal information, investigate and report data-security incidents to the attorneys general and maintain a “Red Flags” program to detect and respond to potential identity theft.