AT&T to Pay $177M Over Massive Customer Data Breaches

AT&T has agreed to pay $177 million to settle two class-action lawsuits stemming from major
data breaches that exposed the personal data of tens of millions of its current and former
customers. The settlements follow growing legal pressure after the Dallas-based telecom giant
confirmed the breaches last year.

While AT&T denies responsibility, the company said it chose to settle to avoid lengthy and
costly litigation. A U.S. District Court ruling by Judge Ada Brown in Dallas on June 20
approved the agreements as “fair, reasonable, and adequate.” According to the court, $149
million will be allocated to the first settlement and $28 million to the second.

“The Settlement Funds will be used to pay for each class’s respective Settlement Class Member
Benefits; Settlement Administration Costs; any Court-approved attorneys’ fees and costs to Class
Counsel; and any Court-approved Service Awards to Plaintiffs for serving as Class
Representatives,” the order reads.

The payouts will go to eligible current or former customers whose data was compromised.
Notifications about eligibility are expected to begin by August 4, 2025, with claim submission
deadlines set for November 18, 2025. The final settlement approval hearing is scheduled for
December 3, 2025.

AT&T was required to fund the initial portion of two escrow accounts for the settlements by July
3, 2025. Customers who wish to opt out or object must do so by October 17, 2025.

In a public statement, the company reiterated that it does not accept liability, stating:
“We have agreed to this settlement to avoid the expense and uncertainty of protracted litigation.”
AT&T further emphasized its commitment to customer trust, saying it remains focused on data
protection. The settlement follows two confirmed breaches.

One breach involved the unauthorized downloading of data from approximately 109 million
customer accounts via Snowflake cloud storage. That data included logs from calls and text
activity over six months in 2022. The company stated this did not include message or call
content, Social Security numbers, or other sensitive personal identifiers.

The second breach, disclosed in July 2024, affected nearly all AT&T wireless customers, as well
as landline users who communicated with them, between May 1 and October 31, 2022. The
leaked information, while not including names or content of communications, could potentially
be linked to individuals using publicly available tools.

In a separate incident in March 2024, a data set released on the dark web was found to affect 7.6
million current and 65.4 million former account holders. AT&T reported that this dataset may
have originated as far back as 2019.

“We launched a robust investigation supported by internal and external cybersecurity experts,”
AT&T stated.

Final settlement payments are expected to be issued in early 2026, pending court approval.