AT&T consented to pay $177 million to resolve class-action suits arising from two large data breaches that exposed the personal data of tens of millions of existing and former customers. The settlement, preliminarily authorized by a Texas U.S. District Court judge on June 20, 2025, ranks among the biggest data breach settlements in recent years and could mean payments up to $5,000 per customer affected.
The data breaches that resulted in the settlement
- The 2019 dark web breach: The initial case was reported in 2019 but was formally declared by AT&T in March 2024 after the company realized that customer data had been uploaded on the dark web. The hack concerned about 73 million individuals, with 7.6 million being active AT&T customers and 65.4 million being ex-account holders. The compromised sensitive information leaked included very intimate facts like names, Social Security numbers, birth dates, email addresses, mailing addresses, phone numbers, and account passcodes.
- The 2024 Snowflake cloud hack: The second breach occurred in April 2024 when hackers breached AT&T’s workspace on Snowflake, which is a third-party cloud storage provider. The breach lasted for about 11 days between April 14, 2024, and April 25, 2024. Attackers acquired call and text message history of close to all of AT&T’s wireless customers—about 110 million individuals—between May 1, 2022, and October 31, 2022, and records starting January 2, 2023.
Unlike the 2019 breach, the Snowflake breach did not leak customers’ names or personally identifiable information. It leaked phone numbers AT&T customers called, contactor call numbers called, overall call durations, and part cell site identification numbers.
The $177 million settlement breaks into two distinct funds depending on which breach Customers were victim to:
- $149 million for victims of the 2019 breach
- $28 million through 2024 Snowflake breach victims
Highest amounts recovered
Customers who can support documented losses which are “fairly traceable” to the breaches can recover the highest amounts:
- A maximum of $5,000 to 2019 breach victims
- A maximum of $2,500 to 2024 Snowflake breach victims
These highest limits of payment are reserved for customers who can provide reasonable documentation of financial losses that directly result from the data breaches.
Once compensation has been paid to customers with proven losses, the remainder of the settlements will be paid to all disclosed customers whose personal details were accessed, irrespective of whether or not they can prove tangible financial loss. The amount each individual receives will be based on the number of valid claims made and the extent of personal data exposure.
Critical dates and payment schedule
The notice period for the settlements will commence on August 4, 2025, and will go on until October 17, 2025. The notice to eligible customers will be given either by email or mail informing them that they are entitled to file a claim under the settlement.
Submitters must file their claims forms on or prior to November 18, 2025. Claims may be filed online at the court-authorized settlement website or by mail once an official site is operational.
Final approval will be granted on December 3, 2025. Payments will commence in early 2026 if final approval is granted by the court. AT&T has stated that it believes the settlement will get final approval no later than late 2025.
Eligibility requirements
There are two different classes of customers that are covered by the settlement:
- AT&T 1 Settlement Class: All individuals in the United States whose data was affected in the March 2024 notice of the 2019 data breach, where AT&T-related data surfaced on the dark web
- AT&T 2 Settlement Class: All users of AT&T accounts or lines whose data was affected in the July 2024 notice of the Snowflake breach
How to determine eligibility
Customers are not required to do anything yet in order to verify their eligibility. AT&T will directly notify all affected customers within the notice period starting in August of 2025. Customers will be notified based on their histories of who were affected by each breach.
Despite agreeing to the substantial settlement, AT&T has maintained its position that it was not responsible for the criminal acts that led to the data breaches. In an official statement, the company said: “While we deny the allegations in these lawsuits that we were responsible for these criminal acts, we have agreed to this settlement to avoid the expense and uncertainty of protracted litigation. We remain committed to protecting our customers’ data and ensuring their continued trust in us.”
The telecommunications giant has also implemented additional cybersecurity measures in response to the incidents, including closing off the points of unauthorized access and providing free credit monitoring services to affected customers.
