© 2023 Hawaiʻi Public Radio
Play Live Radio
Next Up:
0:00 0:00
Available On Air Stations

Hawaiʻi joins $16M data breach settlement against Experian and T-Mobile

Alan Diaz

Forty states will split a $16 million settlement from credit reporting bureau Experian and telecom company T-Mobile.

The settlements come from data breaches that happened between 2012 and 2015.

The breach impacted over 15 million people who submitted credit applications with T-Mobile. Nearly 69,000 Hawaiʻi residents were impacted by the data breach in 2015.

Hawaiʻi will receive $181,981 from the settlements.

Under a $12.67 million settlement, Experian has agreed to strengthen its due diligence and data security practices going forward. Those include:

  • Prohibition against misrepresentations to its clients regarding the extent to which Experian protects the privacy and security of personal information;
  • Implementation of a comprehensive Information Security Program, incorporating zero-trust principles, regular executive-level reporting, and enhanced employee training;
  • Due diligence provisions requiring the company to properly vet acquisitions and evaluate data security concerns prior to integration;
  • Data minimization and disposal requirements, including specific efforts aimed at reducing use of Social Security numbers as identifiers; and
  • Specific security requirements, including with respect to encryption, segmentation, patch management, intrusion detection, firewalls, access controls, logging and monitoring, penetration testing, and risk assessments.

In a separate $2.43 million settlement, T-Mobile has agreed to strengthen its vendor oversight going forward. Those include:

  • Implementation of a Vendor Risk Management Program;
  • Maintenance of a T-Mobile vendor contract inventory, including vendor criticality ratings based on the nature and type of information that the vendor receives or maintains;
  • Imposition of contractual data security requirements on T-Mobile’s vendors and sub-vendors, including related to segmentation, passwords, encryption keys, and patching;
  • Establishment of vendor assessment and monitoring mechanisms; and
  • Appropriate action in response to vendor non-compliance, up to contract termination.

Experian has agreed to pay an additional $1 million to resolve a separate multistate investigation into Experian Data Corp. — in connection with its failure to prevent or provide notice of a 2012 data breach that occurred when an identity thief posing as a private investigator was given access to sensitive personal information stored in Experian’s commercial databases.
Experian is involved in a separate 2019 class action settlement. Those involved in that case are eligible to enroll in a five-year extended credit monitoring service. The enrollment window will remain open for six months.

Information on eligibility can be found here.

Zoe Dym was a news producer at Hawaiʻi Public Radio.
More from Hawai‘i Public Radio