AT&T Data Breach Settlement Offers Up To $5k in Claims
AT&T’s proposed $177,000,000 class action settlement over two 2024 data incidents allows eligible claimants to seek up to $5,000 for documented losses tied to the first incident and up to $2,500 for documented losses tied to the second, with some people potentially eligible for both.
What Happened in the Breach
AT&T disclosed on March 30, 2024 that “AT&T data specific fields” appeared in a data set posted on the dark web, with the source still under assessment and uncertainty about whether the data originated from AT&T or a vendor.
AT&T then disclosed on July 12, 2024 that threat actors illegally accessed an AT&T workspace on a third party cloud platform and exfiltrated files containing records of customer call and text interactions, a separate incident that later became part of the combined settlement.
Timeline: From First Access To Latest Update
The personal data tied to the first incident was described in reporting as originating from 2019 or earlier, while the call and text interaction data tied to the second incident covered May 1, 2022 through October 31, 2022, plus a smaller subset dated January 2, 2023.
AT&T announced the first incident on March 30, 2024, and said threat actors accessed the cloud workspace and exfiltrated files between April 14, 2024 and April 25, 2024, with the second incident publicly announced on July 12, 2024.
Lawsuits after the first incident were consolidated in June 2024 before Judge Ada E. Brown in the Northern District of Texas, and the parties later agreed in March 2025 to settle both incidents together in that court.
The settlement website lists a claim deadline of December 18, 2025 and states the court will hold a final approval hearing on January 15, 2026 at 9:00 a.m. CT, while recent reporting says the hearing was held and a ruling was still pending in the weeks after.
What Data Or Systems Were Affected
Reporting on the first incident said the leaked data included sensitive personal information such as Social Security numbers and account passcodes, along with contact details, affecting about 7.6 million current customers and 65.4 million former customers.
AT&T’s SEC disclosure for the second incident said files contained records of customer call and text interactions, and other reporting described risks of re identification even without message content.
Who Was Responsible (Confirmed Vs Alleged)
AT&T said it determined AT&T specific fields were in the dark web data set for the first incident, but it did not publicly identify a responsible actor and said the source was still being assessed, including whether a vendor was involved.
For the second incident, AT&T said threat actors unlawfully accessed an AT&T workspace on a third party cloud platform, and settlement materials describe the platform as hosted by Snowflake, with broader public reporting linking the event to the wider Snowflake related wave of intrusions in 2024.
How The Attack Worked
For the first incident, AT&T framed the event as the appearance of AT&T specific fields inside a larger data set posted on the dark web roughly two weeks before the March 30, 2024 announcement, and said investigators were still assessing the origin.
For the second incident, AT&T told investors that threat actors accessed the cloud workspace and exfiltrated files during the April 14, 2024 to April 25, 2024 window, and the stolen files contained call and text interaction records from the 2022 period described in its filing.
Impact and Risks for Customers
The first incident raised classic identity fraud and account takeover risks because exposed data reportedly included Social Security numbers and account passcodes, which can support impersonation, SIM swap attempts, and targeted scams when combined with other readily available information.
The second incident involved metadata about communications rather than message content, but outlets and AT&T warned that link analysis and public data sources can still allow re identification of people and relationships, increasing risks such as targeted phishing, harassment, and social engineering against individuals and organizations.
Company Response And Customer Remediation
After the first incident, AT&T directed customers to its account safety resources and, in reporting, reset passcodes and began notifying affected people, while continuing to assess whether the data originated inside AT&T or elsewhere.
After the second incident, AT&T said it activated incident response, retained external cybersecurity experts, and took steps to close the illegal access point, while CISA amplified AT&T’s public statement and pointed users to official resources.
The settlement framework emphasizes documented loss claims and tiered cash payments, with documentation standards that say self prepared statements alone are insufficient and losses must be incurred in 2019 or later for the first incident and on or after April 14, 2024 for the second.
Government, Law Enforcement, And Regulator Actions
AT&T said it worked with law enforcement after the second incident, and CISA issued an alert the same day as AT&T’s July 12, 2024 disclosure that pointed to official customer guidance.
US senators publicly questioned AT&T’s storage of call records on the third party platform after the July 2024 disclosure, reflecting political scrutiny even as the settlement process moved through federal court.
Financial, Legal, And Business Impact
The proposed settlement totals $177,000,000, split into a non reversionary $149,000,000 fund tied to the first incident and a non reversionary $28,000,000 fund tied to the second, with tiered payments coming from the net settlement funds after deductions approved by the court.
The “up to” headline numbers are tied to documented loss claims, while many people instead fall into pro rata tiers, including an AT&T 1 structure where Tier 1 payments are 5 times Tier 2 payments when a Social Security number was included, and an AT&T 2 structure that offers a pro rata Tier 3 cash payment option for account owners.
Recent reporting said more than 99 million notices were sent and about 4.38 million claims were filed, implying many payouts will likely be far below the stated maximums once the administrator calculates pro rata shares.
What Remains Unclear About the Settlement
As of the latest updates reflected on the settlement site and recent reporting, the timing of payments remains uncertain because benefits generally begin only after final court approval and any appeals window closes, and the administrator still needs to process claim volume and documentation.
The acceptance of late claims also remains uncertain, because the settlement FAQ says it cannot guarantee late claims will be accepted after the deadline, and pro rata results will depend on how many claims survive validation and what the court approves for fees and costs.
Why This Incident Matters
The AT&T incidents show how consumer harm can arise from both direct exposure of sensitive identifiers and indirect exposure of communications metadata, and the combined settlement is an unusually large telecom privacy resolution that will test how courts and administrators value documented losses versus standardized tiered payments.
The episode also highlights enterprise dependence on third party cloud platforms and the downstream legal exposure that follows when high volume customer data sits in environments targeted by credential theft and large scale data extraction.
How Bright Defense Can Help Reduce Similar Data Breach Risk
Bright Defense can help reduce exposure to data breaches like these through penetration testing that targets the paths attackers use to reach high value data stores, including cloud workspaces, identity and access flows, and third party integrations.
We typically focus testing on access control failures, credential abuse scenarios, and data exfiltration paths that security teams can miss during routine reviews.
Bright Defense’s continuous compliance program can also keep key controls current across systems that store regulated or high sensitivity data, with ongoing evidence collection and control checks that support SOC 2 and similar frameworks while teams ship changes.
Sources
- Telecom Data Incident Settlement — In Re: AT&T Inc. Customer Data Security Breach Litigation, Important Dates (February 9, 2026)
https://www.telecomdatasettlement.com/ - Telecom Data Incident Settlement — FAQ (February 9, 2026)
https://www.telecomdatasettlement.com/faq - SEC.gov — AT&T Inc. Current Report on Form 8-K (May 6, 2024)
https://www.sec.gov/Archives/edgar/data/732717/000073271724000046/t-20240506.htm - AT&T Newsroom — AT&T Addresses Recent Data Set Released on the Dark Web (March 30, 2024)
https://about.att.com/story/2024/addressing-data-set-released-on-dark-web.html - PR Newswire — AT&T Addresses Illegal Download of Customer Data (July 12, 2024)
https://www.prnewswire.com/news-releases/att-addresses-illegal-download-of-customer-data-302195733.html - CISA — AT&T Discloses Breach of Customer Data (July 12, 2024)
https://www.cisa.gov/news-events/alerts/2024/07/12/att-discloses-breach-customer-data - AP News — AT&T Notifies Users of Data Breach and Resets Millions of Passcodes (April 3, 2024)
https://apnews.com/article/fbef4afe0c1deec9ffb470f2ec134f41 - AP News — AT&T Reaches a $177 million Data Breach Settlement (November 14, 2025)
https://apnews.com/article/f7e20593c3bed83d0abf6b66636fa844 - Time — What AT&T Customers Impacted by the Major Data Security Breach Should Do Now (July 15, 2024)
https://time.com/6997911/att-customers-data-security-breach-what-to-do/ - Investopedia — AT&T Says Nearly All Customers Were Affected by April Data Breach (July 12, 2024)
https://www.investopedia.com/at-and-t-says-nearly-all-customers-affected-by-april-data-breach-8677080 - Business Insider — AT&T Says Hackers Stole the Call and Text Records of Almost All Wireless Customers (July 12, 2024)
https://www.businessinsider.com/attt-hackers-stole-call-text-records-wireless-customers-2024-7 - CT Insider — AT&T Data Breach Settlement Nearing Approval, Claims Filed (February 9, 2026)
https://www.ctinsider.com/news/article/att-data-breach-settlement-claims-filed-21307660.php - CT Insider — AT&T Settlement Nears Approval, Attorney Fees Request (February 9, 2026)
https://www.ctinsider.com/news/article/att-data-breach-settlement-attorney-fees-21336035.php - Business.CCH.com — AT&T Settlement Agreement PDF (May 30, 2025)
https://business.cch.com/CybersecurityPrivacy/at%26tsettlementagreement.pdf
Get In Touch
