AT&T’s $177 million settlement for massive data breaches offers victims just pennies while the tech giant continues to profit from their personal information.
Key Takeaways
- AT&T has agreed to pay $177 million to settle lawsuits over two major data breaches affecting nearly 182 million customers combined.
- The 2019 breach exposed sensitive data of 73 million people, including Social Security numbers, while the 2024 breach compromised call and text records of 109 million customers.
- Maximum compensation is capped at $5,000 for the 2019 breach and $2,500 for the 2024 breach, but only for those who can prove direct damages.
- The claims process won’t start until August 2025, with payments expected in 2026 – nearly seven years after the first breach occurred.
- Most affected customers will receive minimal compensation despite the exposure of their personal information to criminal hackers.
Corporate Negligence Leads to Massive Data Exposure
AT&T’s proposed $177 million settlement aims to resolve legal challenges stemming from two significant data breaches that compromised the personal information of nearly 182 million Americans. The first breach in 2019 exposed sensitive data including names, Social Security numbers, and birth dates of 7.6 million current and 65.4 million former AT&T customers. This catastrophic security failure remained hidden from the public for years until it was finally disclosed, allowing criminals ample time to exploit the stolen information while affected customers remained unaware of their vulnerability.
The second breach, discovered in 2024, revealed that hackers had accessed cloud storage containing 2022 call and text records for approximately 109 million US customers. The breach occurred through AT&T’s cloud storage provider, Snowflake, highlighting persistent security vulnerabilities in the telecommunications giant’s data protection systems. Class action lawsuits soon followed, accusing AT&T of corporate negligence and failure to implement adequate safeguards for customers’ sensitive information, despite charging premium prices for their services and collecting valuable consumer data for their business operations.
The telecom giant will pay out $177 million in relation to two recent data breaches affecting current and former customers. https://t.co/9mZb4cKkZp
— CNET (@CNET) June 24, 2025
Minimal Compensation for Massive Privacy Violations
While AT&T has agreed to the $177 million settlement, the compensation structure heavily favors the corporation over affected consumers. US District Judge Ada Brown granted preliminary approval on June 20, 2025, but the claims process won’t even begin until August 4, 2025 – more than six years after the first breach occurred. This deliberate delay benefits AT&T while leaving victims vulnerable to ongoing identity theft and fraud with no immediate support. Most affected customers will receive only nominal payments, despite having their most sensitive personal information compromised.
“The amount a class member will recover will depend on whether their alleged losses are fairly traceable to the data incidents,” AT&T stated in court documents, adding that victims must prove their losses were “reasonably” connected to the breaches.
The settlement structure requires victims to jump through legal hoops to receive meaningful compensation. To qualify for the maximum payouts of $5,000 (2019 breach) or $2,500 (2024 breach), customers must provide extensive documentation proving direct financial damages – a challenging task given the complex nature of identity theft. The majority of victims, unable to meet this high burden of proof, will receive only a fraction of these amounts from whatever funds remain after prioritized payouts, effectively minimizing AT&T’s financial accountability while maximizing their public relations benefit.
Corporate Accountability Delayed and Diminished
AT&T has consistently downplayed its responsibility for these massive security failures. Rather than acknowledging its negligence in protecting customer data, the company has attempted to shift blame. In court filings, AT&T claimed it was not “responsible for these criminal acts” committed by hackers, conveniently ignoring its obligation to implement robust security measures to prevent such breaches. This deflection strategy allows the company to present the settlement as a generous offering rather than necessary compensation for its failures to protect consumer data.
“AT&T is not responsible for these criminal acts,” the company claimed in response to the lawsuits, despite failing to implement adequate security measures to protect customer data.
The timeline for compensation further demonstrates how corporate interests outweigh consumer protection. Eligible customers won’t receive notifications until later this year, with the claims submission deadline set for November 18, 2025. Final court approval isn’t scheduled until December 3, 2025, pushing actual payments into early 2026. This protracted process benefits AT&T by delaying financial obligations while continuing to collect and profit from customer data. Meanwhile, affected customers remain at risk of identity theft and fraud with no immediate recourse or support from the company that failed to protect their information.
A Wake-Up Call for Corporate Data Accountability
The AT&T settlement represents a larger pattern of insufficient accountability for corporations that profit from consumer data without adequately protecting it. While the $177 million figure sounds substantial, it amounts to pennies per affected customer and represents a tiny fraction of AT&T’s annual profits. This case highlights the urgent need for stronger regulatory frameworks that hold corporations financially responsible for data breaches proportionate to their scale and impact. The current system allows companies to treat such settlements as a minor cost of doing business rather than a significant deterrent against negligent data security practices.
As the claims process begins next year, affected customers should document any potential financial impacts from these breaches. Those who experienced identity theft, fraud, or other financial damages should gather evidence to strengthen their claims for the maximum compensation amounts. However, the reality is that most victims will receive minimal compensation despite the significant privacy violations and ongoing risks they face. This settlement should serve as a wake-up call for strengthening consumer data protection laws and ensuring corporations face meaningful consequences when they fail to safeguard the sensitive information entrusted to them.
