AT&T’s $177 Million Data Breach Settlement Gets Preliminary Court Approval

Key Takeaways

• $177 Million Settlement Approved: A federal judge has given preliminary approval to AT&T’s proposed $177 million class action settlement stemming from two major 2024 data breaches.
• Final Hearing Set for December: The U.S. District Court for the Northern District of Texas has scheduled a final settlement approval hearing for December 3, 2025.
• Millions of Customers Affected: The breaches exposed sensitive data (including Social Security numbers, account passcodes, and communication records) of up to 73 million current and former customers.
• AT&T Denies Liability: While denying responsibility, AT&T agreed to the settlement to avoid prolonged litigation and mounting legal costs.
• Broader Cyber Risk Implications: The case highlights the growing financial and reputational risks of cyberattacks, with experts urging CFOs and CISOs to collaborate on enterprise-wide risk mitigation strategies.

Deep Dive

A federal judge has given the green light to a proposed $177 million settlement in a consolidated class action lawsuit against AT&T, stemming from two massive data breaches that exposed the personal information of tens of millions of customers. The preliminary approval, issued by Judge Ada Brown of the U.S. District Court for the Northern District of Texas, clears the way for a final settlement hearing set for December 3, 2025.

The proposed agreement seeks to resolve dozens of lawsuits filed after the company disclosed two separate security incidents in 2024. The first, revealed in March, involved the exposure of data from approximately 73 million current and former customers, including sensitive personal identifiers such as names, Social Security numbers, birth dates, and account passcodes. The second breach, disclosed in July, involved six months of call and text records from 2022, affecting nearly every AT&T wireless customer at the time.

According to court filings, the settlement allocates $149 million for customers affected by the first breach and another $28 million for those impacted by the second. Plaintiffs in the consolidated case argued that AT&T’s inadequate cybersecurity measures and delays in notifying affected users left millions vulnerable to identity theft and other forms of digital harm.

The litigation was centralized in Texas following a June 2024 order from the Judicial Panel on Multi-district Litigation, which combined related complaints into a single class action.

The AT&T case underscores the growing financial and legal risks posed by cyber incidents, risks that are now drawing more attention from corporate leadership. In 2024 alone, the FBI’s Internet Crime Complaint Center received over 850,000 reports of suspected internet crime, with losses exceeding $16 billion, a 33% increase from the prior year.

AT&T’s high-profile breach has landed it on several “largest cyberattacks” lists compiled by experts such as the Cyber Management Alliance. Its resolution, if finalized in December, could mark one of the costliest breach settlements in recent years and a signal to other companies about the rising stakes of data protection failures.

The court will decide later this year whether to grant final approval, a move that could provide restitution to affected customers and close a significant chapter in the telecom giant’s data security challenges

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.