COLUMBUS, Ohio (WCMH) – A second credit monitoring giant in the United States is dishing out money over not one, but two data breaches it suffered in the past decade.

Ohio joined a 40-state lawsuit against Experian related to data breaches it suffered in 2012 and 2015, of which the latter also involved T-Mobile. The group reached a settlement where the credit-monitoring agency and cellular company agreed to pay $16.1 million total, according to Attorney General Dave Yost’s office. Of that payout, the state of Ohio is receiving $438,362.12.

The agreement comes on the heels of an update regarding a separate credit monitoring agency’s settlement. Equifax’s data breach saw 147.9 million Americans’ personal information exposed, costing the company $700 million in a class action lawsuit, comparatively.

The breach with T-Mobile

Experian’s most recent data breach stemmed from a hacker accessing part of its client network for T-Mobile. The cell phone company had the personal information of its customers stored on the Experian network. Yost said the breach affected around 446,000 Ohioans out of 15 million people who submitted credit applications between 2013 and 2015 for T-Mobile.

The information exposed in the T-Mobile and Experian breach included names, addresses, dates of birth, Social Security numbers and IDs like driver’s licenses and passports. This breach cost Experian $12.67 million, and T-Mobile $2.43 million. The terms of the settlement also required Experian to agree to meet cybersecurity standards surrounding encryption, intrusion detection, firewalls and more. T-Mobile had to adopt better vendor oversight practices to improve its data security.

Experian also had to pay out on a 2019 private class-action settlement over the T-Mobile breach, but the enrollment window for that has now closed. However, Yost added the states’ settlement with the credit monitoring agency includes a requirement that it offers five years of free cred-monitoring services to anyone affected, as well as two free copies of their credit reports per year. The enrollment window for that offer will stay open for six months from November, and anyone can check their eligibility by clicking here.

The 2012 breach

Experian’s first data breach within the decade came from a company underneath it: Experian Data Corporation. The states’ lawsuit saw Experian pay $1 million for failing to prevent or report the breach, according to Yost’s office.

Yost did not specify how many Ohioans the breach affected, but did say it happened when Experian Data Corp. gave database access to an identity thief pretending to be a private investigator. The fraud was then able to access personal information stored by the company.

As a result of the settlement, EDC also committed to bolstering its oversight of any group to which it provides personal information. It also had to agree to report data breach incidents to the states’ attorneys general, and to start a program detecting and responding to possible identity theft incidents.