AT&T Data Breach Settlement: What Happened and Why It Matters

AT&T has a proposed $177 million class-action settlement covering two major data incidents, and it spotlights growing third-party cloud risk in telecom data supply chains.

Two Data Incidents and Settlement Classes Explained

The settlement consolidates claims from two separate events tied to different data types and timelines. First, a dataset containing personal information from 2019 or earlier—including names, birth dates and some Social Security numbers—was found on the dark web and publicly acknowledged by AT&T in March 2024; it covered about 7.6 million current and 65.4 million former account holders, and the company reset passwords for impacted current users. Second, in April 2024, phone and text record data from roughly May through October 2022 (with some records into early 2023) was exfiltrated from AT&T’s Snowflake-hosted data warehouse, potentially affecting nearly the entire U.S. cellular base; AT&T disclosed this in July 2024, and law enforcement later arrested two individuals linked to the attack, which has been associated with the ShinyHunters group.

Settlement Timeline, Fund Allocation, and Payout Structure

A U.S. district judge granted preliminary approval in June 2025, and claims opened in August 2025. The proposal allocates $149 million to the “AT&T 1” class (2019 dataset) and $28 million to the “AT&T 2” class (Snowflake records). A final approval hearing is scheduled for December 3, 2025. Payouts will depend on how many valid claims are filed and on deductions for administrative and legal costs.

Why It Matters: Third-Party Cloud and CPNI Risk

For telecom operators, exposing call detail records and customer PII through a third-party platform underscores the urgency of Zero Trust controls, data minimization, and rigorous vendor governance across cloud data warehouses (e.g., Snowflake) and analytics pipelines. Expect more regulatory scrutiny under FCC CPNI rules, state privacy laws, and potential FTC enforcement, plus heightened enterprise requirements for attestations, segmentation, and continuous monitoring.

Eligibility and Potential Payouts

Eligibility depends on which incident affected you, and customers touched by both can submit claims in each class.

Who Qualifies for AT&T 1 and AT&T 2

AT&T 1 (2019 dataset): Current or former AT&T account holders whose personal information was included in the dataset acknowledged in March 2024 are part of this class. AT&T 2 (Snowflake records): AT&T U.S. cellular customers whose phone/text records from roughly May–October 2022 (and some early 2023) were accessed are part of this class. If you’re in both classes, you may file both claims.

Estimated Payouts and Claim Caps

AT&T 1 offers up to $5,000 for documented, incident-related losses, or a tiered cash payment if you don’t submit documentation; whether a Social Security number was involved may affect the tier. AT&T 2 offers up to $2,500 for documented, incident-related losses, or a proportional cash payment without documentation. If you qualify for both incidents and have separate documentation for each, the combined cap could reach $7,500. Actual amounts depend on the total number of valid claims and settlement costs, and funds will not be distributed until after final court approval.

How to File an AT&T Data Breach Claim by November 18, 2025

Claims are administered by Kroll Settlement Administration and can be submitted online or by mail.

File Online at telecomdatasettlement.com

Visit telecomdatasettlement.com and use your Class Member ID from Kroll’s notification (check spam and filters). If you didn’t receive a notice or are unsure of your eligibility, contact the administrator at 833-890-4930. Be prepared to upload documentation for any claimed losses, and submit separate documentation if you are filing for both incidents. Due to high traffic, the site may occasionally place you in a virtual queue.

File by Mail: Address and Postmark Requirements

Download, print, and complete the claim forms for the relevant incident(s) from the settlement site and mail them to AT&T Data Incident Settlement; c/o Kroll Settlement Administration LLC; P.O. Box 5324; New York, NY 10150-5324. Mailed claims must be postmarked by November 18, 2025.

What Counts as Documented Losses

Documentation generally means proof of out-of-pocket losses plausibly linked to the specific incident and time frame (for example, certain fraud remediation costs or professional services), but you should rely on the instructions on the claim forms for accepted evidence and eligibility criteria.

Security Takeaways for Telecom, 5G, and Enterprise IT

The settlement highlights critical control gaps at the intersection of identity, data governance, and third-party cloud platforms used in telecom analytics.

Govern Third-Party Cloud Data Platforms

Treat data warehouses like Snowflake as high-risk systems: enforce SSO and MFA, restrict access with least privilege and short-lived credentials, segment data products, and apply network policies (e.g., private connectivity, IP allowlisting). Centralize secrets management, rotate service account keys, and monitor for anomalous data downloads. Tokenize or mask sensitive fields and apply row/column-level security where possible.

Harden CDR/CPNI Pipelines and Apply Zero Trust

Minimize retention windows for call/text records and PII, encrypt in transit and at rest with strong key management, and isolate regulated datasets. Map data flows end-to-end and apply Zero Trust principles across ingestion, staging, analytics, and sharing. Align with NIST CSF 2.0 and ISO/IEC 27001, use SOC 2 and CSA STAR attestations in vendor selection, and conduct regular red-team exercises focused on exfiltration paths.

Operational Readiness, Vendor Risk, and Board Oversight

Prepare playbooks for rapid notification, credential resets, and fraud support; implement continuous control validation and third-party risk reviews; and ensure board-level oversight. Tighten contract language to require timely incident reporting, security baselines, and audit rights for data processors and sub-processors.

Key Dates, Final Approval, and What to Watch

There are firm deadlines for claimants and open questions on timing and broader industry impact.

Key Milestones and Industry Watchlist

Claim filing closes November 18, 2025; final approval hearing is set for December 3, 2025. Payouts will occur only after final approval and resolution of any appeals. Watch for additional regulatory actions, further litigation tied to third-party data platforms, and new telecom guidance on cloud data warehousing, data minimization, and CPNI/CPRA compliance. For operators and enterprises alike, the lesson is clear: treat analytics platforms as critical infrastructure, not just data tools.