The first breach likely occurred between 2019 and 2021 when hackers obtained the Social Security numbers, email addresses, phone numbers, dates of birth, AT&T account numbers and passcodes of 73 million users. Both current and former users were affected, and the hackers appear to have accessed data dating back to 2019 or earlier. AT&T confirmed the breach in March 2024 when the data was posted on the dark web, although some outlets reported on it as early as 2021.
Shortly afterward, disaster struck again. The company announced in July 2024 that “almost all” of its customers’ phone records were illegally downloaded from AT&T Workspace to a third-party cloud platform. A former US Army soldier and two other people reportedly accessed records of customers’ call and text interactions and the hack affected Verizon, Ticketmaster and about 160 other companies. The former soldier pleaded guilty to trying to sell stolen AT&T data, including to a foreign intelligence service.
AT&T settled a class-action lawsuit over the breaches earlier this year and the court ordered the telecommunications giant to pay a total of $177 million to affected customers. Customers who were affected by the first data breach will be entitled to up to $5,000, and those who were affected by the second data breach will be entitled to up to $2,500. The deadline to request payment in settlement is Thursday, December 18. You must file your claim online through postmarked mail on or before that time.
“I think the compromise is too low for this, because it contains very important pieces of information,” Adrianus Warmenhoven, who sits on NordVPN’s security advisory board, told Gizmodo. Social Security numbers are a significant breach, but Wormenhoven says date of birth violations could also be a bigger threat.
Criminals gradually collect information about you through breaches (although the AT&T breach is quite significant, says Wormenhoven, breaches affecting millions of users are “starting to become quite common”). One data breach may expose your email address, while another may expose your phone number, etc. When combined, they create a picture that a criminal can use to digitally impersonate you.
“With most data, if you have a complete profile, I can call the credit card companies, get a new account there, get a lease for something, borrow some money, rent a car,” Wormenhoven said. “So this data will never go away; it will only get richer.”
Sadly, there is no “technological fix” that someone can use to protect themselves from these breaches, Warmenhoven said, because there is no technical problem.
“It’s just poor management,” he said. The best practice to protect consumer data is to avoid pooling it all together in one large, easily accessible database. He claimed that most companies do not need your date of birth or your name, but they do keep it in the database for administrative purposes.
“It’s not at all technically difficult to separate them, but we prioritize productivity,” Voormenhoven said. “So the only solution is to either vote for the right people who will punish those companies or become a big shareholder.”
How to file a claim
If your data was involved in the breach, you should have received an email notifying you. So the first step should be to go to your account and find an email from Kroll Settlement Administration, which is the organization that is managing the legal settlement. That email will include your Claims Member ID, which you will need to enter in the submission.
You will be able to file your claim on telecomdatasettlement.com by clicking “Submit Claim”.
Customers whose data was leaked in both may be entitled to up to $7,500 combined. This payment is supposed to cover any losses that can be substantially traced to a data breach, which would include things like fraudulent charges on your bank account, or the cost of any identity theft protection services or fraud investigation. If you wish to get reimbursed for these, you will need to provide documentation such as receipts, invoices, or bank statements when filing your claim.
If the breach didn’t directly cause you any financial loss, you may still be eligible for a payout. In that case, you should select Tiered Cash payment. If your SSN was leaked in the first breach, you will automatically qualify for the Tier 1 cash payment, which will be the highest payment. If other pieces of personal data were leaked in the first breach, you will qualify for a Tier 2 cash payment. If your data was leaked in the second breach, but you suffered no direct financial loss, you qualify for Tier 3, which will be a proportionate share of whatever is left in the settlement fund after everything else has been paid.
<a href