AT&T Faces $177 Million Settlement Over Data Breaches
In a significant development for customer data protection, AT&T has reached a tentative $177 million settlement connected to two data breaches disclosed in 2024. This settlement could see eligible customers receiving compensation of up to $7,500 as part of ongoing legal proceedings fueled by concerns over the security of personal information.
The breaches, which affected approximately 73 million accounts, were disclosed by AT&T in March 2024. This initial incident exposed sensitive information for both current and former customers, including Social Security numbers, addresses, birthdates, passcodes, billing details, and phone numbers. The leaked data surfaced in a dark web dataset, raising questions about the efficacy of AT&T’s data security measures.
In a related breach announced in July 2024, hackers reportedly accessed data from a third-party cloud platform, impacting nearly all cellular customers. This second breach included records of voice calls and text messages, further complicating AT&T’s legal standing. In a press release, the company stated that while call content was not compromised, data sensitive to customer identity and communications was at risk.
The investigations into these breaches have prompted multiple lawsuits at both the state and federal levels, consolidating into two main class-action cases. Consequently, the settlement allocates $149 million to the first breach and $28 million to the second, pending approval from the U.S. District Court for the Northern District of Texas.
Affected customers are encouraged to file claims as the process opened on August 4, following a federal court ruling. Claims can be submitted via the Kroll Settlement Administration website, with notifications sent to eligible customers through email. Business owners and individuals concerned about potential vulnerabilities in their own data practices should take note of the implications of this case.
Considering the MITRE ATT&CK framework, initial access and data exfiltration techniques appear to be relevant, particularly in light of the adversarial actions taken by the attackers. Potential tactics could include phishing or exploiting unpatched vulnerabilities in software. The initial data breach aligns with tactics used to compromise sensitive information, while the subsequent attack suggests a failure in persistent controls and oversight on third-party platforms.
The deadline for customers to file claims is November 18, with payouts anticipated by early 2026, contingent on the approval of the settlement. Business owners must remain vigilant regarding their own cybersecurity measures, particularly in light of AT&T’s experience, which illustrates the potential for widespread impacts from data breaches. As the case develops, it will likely serve as a crucial case study in data protection and breach response in the telecommunications sector and beyond.
