AT&T Data Breach Settlement Approved for $177M Payout to Customers

Settlement comes after more than 100 individual and class action lawsuits were filed against AT&T, alleging the telecom giant failed to adequately protect customer data.

AT&T has agreed to pay a total of $177 million to settle claims stemming from two separate data breaches that compromised the personal information of tens of millions of current and former customers across the United States.

Last year, the company disclosed two major data breaches that exposed sensitive personal information of U.S. customers. The first breach was revealed in March 2024, when a dataset containing names, Social Security numbers, phone numbers and dates of birth appeared on the dark web. AT&T later confirmed the information originated from its internal systems and affected more than 70 million individuals.

Just months later, a second AT&T data breach was disclosed, which occurred when unauthorized actors accessed metadata from a third-party cloud storage provider, Snowflake. Although this breach did not include names or Social Security numbers, it exposed call-related data, including phone numbers, call durations and cell site identifiers, for an unknown number of users.

In the wake of these data breach announcements, a growing number of individual and class action lawsuits were filed against AT&T in courts nationwide, alleging that the telecommunications giant failed to implement reasonable data security safeguards, despite collecting and storing sensitive customer information. Plaintiffs claimed that AT&T’s inadequate protections left millions vulnerable to identity theft, fraud and other long-term privacy risks.

With each of the claims raising similar allegations that AT&T failed to take adequate steps to protect the personal identifying information of its customers, the U.S. Judicial Panel on Multidistrict Litigation (JPML) decided to consolidate the AT&T data breach lawsuits in June 2024, centralizing the litigation before U.S. District Judge Ada E. Brown in the Northern District of Texas, for coordinated discovery and pretrial proceedings.

Since the creation of the federal MDL (multidistrict litigation), lawyers involved in the data breach lawsuits have actively engaged in the early stages of coordinated pretrial proceedings. In August 2024, Judge Brown appointed a team of plaintiffs’ attorneys to serve in key leadership roles, including a lead counsel, executive committee members, and a steering committee tasked with managing common discovery, presenting joint arguments, and facilitating potential settlement discussions on behalf of all claimants.

The Court also established a case management plan to oversee the exchange of information related to the cause and impact of the breaches, laying the groundwork for negotiations that have now resulted in a landmark $177 million AT&T data breach settlement.

AT&T Data Breach Settlement Agreement

In a preliminary approval order (PDF) issued on June 20, U.S. District Judge Ada E. Brown authorized the settlement process to move forward, paving the way for cash payments to eligible AT&T customers and outlining a claims process that will remain open through the fall.

The settlement includes two distinct payouts: $149 million allocated to individuals impacted by the 2024 breach of AT&T’s internal systems, and $28 million set aside for those affected by the second breach involving data stored on a third-party cloud platform hosted by Snowflake.

Affected consumers will be able to submit claims through the fall, and a final approval hearing is scheduled for December 16, 2025.

Who Qualifies for a Payment?

The settlement divides affected individuals into two separate classes based on which data breach impacted them and the type of information that was exposed. Each class has its own eligibility criteria and access to compensation under the terms of the agreement.

• AT&T 1 Settlement Class: U.S. residents whose sensitive personal information—such as names, birth dates, phone numbers and Social Security numbers—was exposed in the internal data breach.
• AT&T 2 Settlement Class: Current or former AT&T account holders or users whose metadata (e.g., call logs, durations or tower pings) was accessed during the Snowflake incident.

What Compensation Is Available?

Consumers who are part of the settlement class can pursue one of two types of compensation, depending on the type of data compromised and whether they experienced any financial harm as a result of the breaches.

For those who suffered out-of-pocket losses, the settlement provides documented loss payments. These reimbursements are available to individuals who can demonstrate that their expenses were fairly traceable to either of the data breaches, such as costs related to fraud, identity theft or credit monitoring.

Overlap customers—those impacted by both breaches—may submit claims for each incident, as long as they provide separate and distinct documentation for the losses claimed.

• Up to $5,000 for documented losses tied to the AT&T 1 breach (covering losses since 2019)
• Up to $2,500 for documented losses tied to the AT&T 2 breach (covering losses after April 14, 2024)

For class members who did not experience direct financial harm, but had qualifying data exposed, the settlement offers tiered flat-rate cash payments. These payments are determined based on the nature of the data compromised, with higher payouts for more sensitive personal information. No documentation is required for these claims.

• Tier 1: For AT&T 1 class members whose Social Security number was exposed — highest payout (5× Tier 2)
• Tier 2: For AT&T 1 class members whose personal information was exposed, but not their SSN
• Tier 3: For AT&T 2 class members whose metadata was exposed in the Snowflake breach — equal share of the $28 million fund

The final payout amounts will depend on how many valid claims are submitted and approved within each settlement category.

Notices will be sent by email or mail beginning this summer, with instructions on how to file a claim or opt out. All claims, objections and exclusion requests must be submitted by October 17, 2025.

The court has appointed Kroll Settlement Administration to handle the claims process. A dedicated website will provide updates, forms and deadlines for consumers seeking compensation. Under the agreement, AT&T also committed to strengthening its data security protocols and will provide confidential documentation to class counsel outlining its remedial efforts.

While AT&T denies any wrongdoing, the settlement avoids the uncertainty of protracted litigation and offers relief to customers whose data was compromised.

To receive the latest updates on the AT&T data breach settlement and other consumer safety news that could affect you or your family, sign up for the weekly AboutLawsuits Digest.