Centralization of Lawsuits Over AT&T Data Breach Will Be Reviewed by MDL Panel on May 30

Most AT&T data breach lawsuits have been filed in Northern Texas, where several plaintiffs and the company itself want the litigation consolidated as part of a federal multidistrict litigation (MDL)

A panel of federal judges will hear oral arguments on May 30, over whether to consolidate the growing number of data breach lawsuits against AT&T, and transfer the claims to one judge for coordinated discovery and pretrial proceedings as part of a multidistrict litigation (MDL).

The litigation began to emerge a few weeks ago, after it was disclosed that millions of customers’ personal identifying information was leaked on the Dark Web. However, there is now growing evidence that AT&T knew about the security breach for years, but failed to take steps to protect customers.

As a result, lawsuits not only seek credit monitoring and fraud protections for vulnerable customers, but plaintiffs are pursuing additional financial compensation for damage that has already been caused by the release of their personal information, and it is widely expected that tens of thousands of former customers will be pursuing AT&T data breach settlements in the coming months.

AT&T Data Breach Lawsuits Raise Common Questions of Fact and Law

Lawsuits filed throughout the federal court system allege that AT&T first became aware of a potential data breach in 2021, when the hacker group Shiny Hunters claimed to have compromised the company’s systems, and were attempting to sell a database containing sensitive customer information. Initially, AT&T contested the legitimacy of these claims, stating that the samples of the leaked data provided by Shiny Hunters did not correspond to their records.

Rather than investigating the potential leak of millions of client records and notifying customers and regulators, the lawsuits claim AT&T continued to deny the validity of the breach until March 2024, when a hacker known as “MajorNelson” leaked the entire database for free.

AT&T acknowledged the data breach on March 30, and the company disclosed that the data breach exposed the names, addresses, phone numbers, Social Security numbers, and email addresses of approximately 7.6 million current account holders and approximately 65.4 million former account holders. The admission came only after the sensitive client information was publicly released,  and the company admitted the data did indeed belong to their customers.

AT&T Data Breach MDL Hearing

To avoid conflicting pretrial rulings from various different judges overseeing cases throughout the federal court system, a motion to transfer (PDF) was filed with the U.S. Judicial Panel on Multidistrict Litigation (JPML) in April, requesting claims filed throughout the federal district court system be consolidated for pretrial proceedings before one judge as part of an AT&T data breach lawsuit MDL (multidistrict litigation).

On April 12, the JPML issued a Notice of Hearing Session (PDF) indicating it will hear oral arguments on the creation of an AT&T MDL on May 30, at the Orrin G. Hatch U.S. Courthouse in Salt Lake City, Utah. According to the notice, there were 12 AT&T data breach lawsuits filed at that time. All but one of those claims were filed in the Northern District of Texas, with the remaining claim filed in the Western District of Oklahoma.

The original motion to transfer, filed by Alex Petroski, of Ohio, suggests the Northern District of Texas would be the best venue for the consolidated pretrial proceedings.

AT&T responded to Petroski’s motion with its own motion to support (PDF) consolidation on April 25, indicating there the number of data breach class action lawsuits had already grown to 46 complaints in various different districts, including California, Georgia, Illinois, Missouri, and Oklahoma. However, the company notes the majority of claims have still been filed in the Northern District of Texas.

“The Panel generally orders transfer and consolidation to avoid conflicting rulings, reduce litigation costs, and conserve the time and effort of the parties, attorneys, witnesses, and courts,” AT&T’s response states. “These factors strongly support transfer and consolidation of related and tag-along actions and favor the Northern District of Texas (Dallas) as the appropriate transferee court.”

Another plaintiff, Rah-Nita Boykin, filed another motion to support consolidation (PDF) filed on May 9, pointing out that the size and scope of the litigation is expected to continue to grow rapidly.

“Each of the Related Actions concerns alleged failures by Defendant AT&T resulting in a data breach affecting more than 73 million current and former AT&T customers,” her motion states. “Because the Related Actions comprise overlapping putative nationwide classes, no efficiencies will be gained by litigating these claims in multiple forums.”

However, not all plaintiffs agree that AT&T data breach class action lawsuits should be consolidated in Texas. Plaintiffs Kenneth Hasson and Chad Graddy indicated in their own response (PDF), filed on April 26, that the cases should instead be centralized in the Northern District of Georgia, where AT&T Mobility, LLC is headquartered.

Given the support of consolidation by several parties on both sides, it is likely that the JPML will hear few, if any, dissenting voices calling for the lawsuits to continue through individual pretrial proceedings.

If the JPML chooses to consolidate the lawsuits before one judge, pretrial proceedings will be coordinated to avoid duplicative discovery into common issues in the cases, and the court will likely establish a bellwether program where a small group of cases will be prioritized, to help gauge how juries may interpret expert testimony and evidence likely to be used in thousands of trials.