If you are or were an AT&T user, chances are high that you were a victim of at least one of two major data breaches.
The first breach likely happened sometime between 2019 and 2021 when hackers obtained the social security numbers, email addresses, phone numbers, dates of birth, AT&T account numbers, and passcodes of a whopping 73 million users. Both current and former users were affected, and the hackers seemed to have accessed data from 2019 or earlier. AT&T confirmed the breach in March 2024 when the data was posted on the dark web, although some outlets had reported on it as early as 2021.
Shortly after, disaster hit again. The company announced in July 2024 that phone records belonging to “nearly all” of its customers were illegally downloaded from the AT&T workspace onto a third-party cloud platform. A former U.S. Army soldier and two other people allegedly accessed records of customers’ calls and text interactions, and the hack impacted Verizon, Ticketmaster, and roughly 160 other companies. The former soldier pleaded guilty to trying to sell the stolen AT&T data, including to a foreign intelligence service.
AT&T settled a class-action lawsuit over the breaches earlier this year, and the court ordered the telecommunications giant to pay a total of $177 million to affected customers. Customers who were impacted in the first data breach will be entitled to up to $5,000, and those impacted in the second data breach will be entitled to up to $2,500. The deadline to request a payout in the settlement is Thursday, Dec. 18. You will have to file your claim either online by that time or via mail postmarked on or before then.
“I think that the settlement is way too low for this one, because there’s such important pieces of information,” Adrianus Warmenhoven, who is on NordVPN’s security advisory board, told Gizmodo. Social security numbers are significant breaches, but Warmenhoven says that even a date of birth breach could be a substantial threat.
Criminals accumulate information about you gradually through breaches (although the AT&T breach is quite significant, Warmenhoven says, breaches that impact users in the millions are “starting to become quite common”). One data breach could reveal your email address, while another could reveal your phone number, etc. When combined, they paint a picture that a criminal could use to digitally impersonate you.
“With most of the data, if you have a complete profile, I can call credit card companies, get a new account on there, get a lease for something, borrow some money, rent a car,” Warmenhoven said. “So this data will never, ever go away; it will only get more and more enriched.”
There is sadly no “technical fix” that an individual can use to protect themselves against these breaches, Warmenhoven said, because there is no technical problem underlying it.
“It’s just bad management,” he said. The best practice to protect consumer data is to refrain from keeping it all together in one big, easily available database. Most companies don’t need your date of birth or your name, but they keep it in databases for administrative purposes, he claimed.
“It’s not technically difficult at all to separate those, but we prioritize productivity,” Warmenhoven said. “So the only fix for this is either vote for the correct people who will punish those companies or become a big shareholder.”
How to file a claim
If your data was involved in the breach, you should have gotten an email informing you. So the first step should be to go to your account and search for an email from Kroll Settlement Administration, which is the organization that is managing the legal settlement. That email will include your Claim Member ID, which you will have to input in the submission.
You will be able to file your claim on telecomdatasettlement.com by clicking “Submit Claim.”
Customers who had data leaked in both could be entitled to up to $7,500 combined. The payout is supposed to make up for any losses that could be fairly traced back to the data breaches, which would include things like fraudulent charges on your bank account, or the cost of any identity theft protection services or fraud investigations. If you wish to get these reimbursed, you have to provide documentation like receipts, invoices, or bank statements in your claim filing.
If you don’t have any financial losses directly tied to the breach, you can still qualify for a payout. In that case, you should choose to have a Tier Cash Payment. If your SSN was leaked in the first breach, you will automatically qualify for a Tier 1 Cash Payment, which will be the highest payout. If other pieces of personal data were leaked in the first breach, you will qualify for a Tier 2 Cash Payment. If your data was leaked in the second breach but you have no direct financial losses, you qualify for Tier 3, which will be a pro rata share of whatever is left in the settlement fund after everything else is paid off.
