A federal judge has granted preliminary approval to a $177 million settlement, resolving class-action lawsuits filed against AT&T following multiple high-profile data breaches in 2024. These breaches compromised the personal information of tens of millions of customers, making it one of the largest data privacy cases involving a U.S. telecommunications company.

AT&T’s breaches included unauthorized access to approximately 109 million customer accounts through its Snowflake cloud platform. The compromised data spanned six months of call and text logs from 2022. Additionally, a separate dataset affecting 73 million current and former customers was leaked on the dark web.

Despite denying responsibility, AT&T claimed it settled to avoid the costs and uncertainties of extended litigation. Customers with verified financial harm may receive up to $2,500 or $5,000, while the remainder of the fund will be distributed among others whose data was accessed. Final court approval is expected by the end of 2025, with payouts likely beginning in early 2026.

The 2024 incidents are not AT&T’s first entanglements with data security issues.

In 2023, the company paid $13 million to settle an FCC investigation related to an earlier breach from 2015 to 2017. The data involved was supposed to have been deleted years earlier, underscoring persistent issues with legacy data management.

The FCC continues to investigate the scope and fallout of these breaches, especially the company’s reliance on third-party cloud services like Snowflake. These developments reveal deeper concerns about how massive telecom operators handle and secure consumer data across evolving digital infrastructures.

Why It Matters: The settlement underscores the growing pressure on corporations to safeguard personal data and implement rigorous, transparent data retention policies. As the legal and financial stakes of cybersecurity failures continue to rise, companies face mounting accountability when breaches affect millions. With cloud platforms now central to business infrastructure, the case also underscores the urgent need for robust oversight and stricter governance of third-party technology providers.

• Scale of the Breach: The 2024 data incidents collectively impacted over 109 million AT&T customers, making it one of the most extensive data breaches in the history of the U.S. telecom industry. The scope included not only basic account identifiers but also potentially sensitive metadata from phone calls and texts, raising serious concerns about privacy violations on a national scale.

• Individual Compensation Tiers: The settlement’s structured payout system reflects the legal emphasis on traceable harm. Customers able to demonstrate financial harm linked directly to the breaches can claim up to $2,500 or $5,000, depending on the nature of the breach. This tiered model aims to balance individualized restitution with broader class-wide equity, ensuring that those most impacted receive proportionate relief.

• Data Retention Risks: A significant portion of the breached data was tied to customers who had not held accounts with AT&T for years, with some data dating back to before 2019. This has triggered alarms over the telecom industry’s data retention practices, particularly the failure to remove unnecessary customer records that could become a liability in the event of a breach.

• Evolving Regulatory Landscape: The FCC’s ongoing scrutiny, especially in light of AT&T’s previous $13 million settlement in 2023, signals an increasingly assertive regulatory stance on consumer data protection. These cases may influence upcoming federal data privacy legislation and push companies to overhaul both their internal compliance strategies and vendor oversight protocols.

• Third-Party Cloud Exposure: The breaches exposed vulnerabilities in AT&T’s use of Snowflake, a third-party cloud service provider, highlighting systemic risks in outsourced data storage environments. As cloud platforms become foundational to enterprise IT operations, this case could serve as a cautionary benchmark for companies relying on external partners for critical infrastructure.

Go Deeper -> AT&T’s $177-million data breach settlement wins US court approval – Reuters