AT&T has agreed to a $177 million settlement to resolve class-action lawsuits stemming from two major data breaches that compromised the personal information of more than 100 million customers.
What happened
AT&T has reached a preliminary court-approved settlement totaling $177 million to resolve class-action lawsuits stemming from two major data breaches disclosed in March and July 2024. The court granted preliminary approval of the settlement on June 20, 2025.
The backstory
AT&T experienced two major data breaches in 2024 that together exposed the personal information of over 100 million individuals. The first breach came to light in March 2024, when a dataset containing information from approximately 7.6 million current and 65.4 million former customers was found circulating on the dark web. The leaked data included Social Security numbers, full names, phone numbers, physical addresses, birthdates, and AT&T passcodes. AT&T initially claimed the data did not originate from its systems but later confirmed the information was accurate and offered credit monitoring to affected individuals.
Just months later, in July 2024, AT&T disclosed another massive breach that compromised call and text metadata for approximately 109 million customer accounts. The data, hosted on Snowflake's cloud platform, included phone numbers, call dates and times, and message durations (though not the content of messages). This breach is believed to have been carried out by a group known as ShinyHunters, which reportedly demanded a $1 million ransom. AT&T stated that the compromised data had been deleted following the ransom payment.
Go deeper:
What was said
AT&T told Reuters that they deny allegations of responsibility; however, they have “agreed to this settlement to avoid the expense and uncertainty of protracted litigation.” Furthermore, the company expects the settlement to be approved by the end of 2025, with settlement payments to be issued early next year.
By the numbers
According to the breach settlement:
- Notifications to affected individuals will begin on August 4, 2025, and continue through October 17, 2025.
- Customers affected by the breaches may be eligible to receive up to $2,500 or $5,000 in compensation, depending on the breach and whether they can document their financial losses.
- The deadline to submit claims for compensation is November 18, 2025.
- A final approval hearing for the settlement is scheduled for December 3, 2025.
- Payouts to approved claimants are expected to begin in early 2026, after legal fees and administrative costs are deducted from the settlement fund.
See also: HIPAA Compliant Email: The Definitive Guide (2025 Update)
FAQS
Were both breaches connected?
No, the two breaches were separate incidents. One involved a leak of personal information later found on the dark web, and the other involved unauthorized access to call and text records stored in a third-party cloud platform.
What will the settlement money cover?
The fund is intended to reimburse victims for time lost, out-of-pocket expenses, and documented financial harm caused by the data breaches.
Who is eligible for compensation?
Current and former AT&T customers whose data was compromised in either of the 2024 breaches may be eligible. This includes people whose personal information appeared on the dark web or whose call and text records were accessed without authorization.
How do I file a claim?
You’ll receive a notification (by mail or email) if you’re eligible. The notice will include instructions and a link to the claims website where you can submit your documentation.
What happens if I don’t file a claim?
If you don’t file a claim by the deadline (November 18, 2025), you will likely forfeit your right to receive any payment from the settlement.
Tshedimoso Makhene
