AT&T Customer Data Breach Class Action Litigation

In March 2024, AT&T confirmed that a dataset containing personal information for approximately 73 million current and former customers had been published on the dark web — data that AT&T initially denied was its own when it first surfaced in 2021. The compromised information included full names, mailing addresses, phone numbers, dates of birth, Social Security numbers, and encrypted account passcodes. Shortly after the confirmation, security researchers determined the encrypted passcodes could be easily decrypted, dramatically amplifying the risk of account takeover and identity theft for affected customers. Dozens of class action lawsuits were filed almost immediately and are being centralized in the Northern District of Texas.

Plaintiffs allege that AT&T knew or should have known about this data exposure for years and failed to timely notify customers, constituting negligence and violations of multiple state consumer protection and data privacy laws. The lawsuits also allege breach of contract and unjust enrichment, arguing that customers paid for services under the expectation that their sensitive data would be protected. Separately, in July 2024, AT&T disclosed a second major breach affecting call and text records for nearly all of its wireless customers from mid-2022, significantly expanding the litigation's scope. The combined cases represent one of the most significant telecom data breach litigations in U.S. history.