AT&T Data Breach Lawsuit MDL 3114: $177M Settlement & Claims Guide 2026
One Hundred Million Records: The Scale of the AT&T Breach
In 2024, America’s largest wireless carrier disclosed not one but two major data breaches — exposing the personal data of a substantial fraction of the entire adult U.S. population.
The first disclosure, on March 30, 2024, revealed that a dataset containing information on tens of millions of AT&T customers — data believed to date from 2019 or earlier — had surfaced on a dark-web forum. This dataset included Social Security numbers, a category of identifying information that cannot be changed and whose exposure creates lifelong identity theft risk.
The second disclosure, on July 12, 2024, was in some ways more alarming in its scope. AT&T revealed in an SEC filing that a threat actor had exfiltrated call and text metadata from a third-party Snowflake-hosted cloud environment. The records covered approximately 110 million customers — essentially anyone who had interacted via AT&T’s network during the targeted period. While the content of calls and texts was not captured, the metadata — who called whom, when, for how long, and from what general location — creates its own significant privacy exposure.
MDL 3114, consolidated in the Northern District of Texas before Judge Ada E. Brown, combines claims arising from both breaches. A $177 million settlement was negotiated. This guide explains who was affected, what they can recover, and what to do now.
This article is for informational purposes only and does not constitute legal advice.
MDL 3114: Key Case Information
Case coordinates:
| Field | Detail |
|---|---|
| Full case name | In re: AT&T Inc. Customer Data Security Breach Litigation |
| Case number | 3:24-md-03114-E |
| MDL No. | 3114 |
| Court | U.S. District Court, Northern District of Texas (N.D. Tex.) |
| Presiding judge | Hon. Ada E. Brown |
| MDL consolidated | June 2024 |
| PEC Chair | Shauna Itri, Seeger Weiss LLP (appointed August 14, 2024) |
| Consolidated complaint filed | May 30, 2025 |
| Final Approval Hearing | January 15, 2026 |
| Status as of April 2026 | Court considering final approval (per telecomdatasettlement.com) |
Breach 1 and Breach 2: Comparing the Two Events
Understanding which breach affected you — and how — matters for eligibility and the strength of your claim.
AT&T Breach 1 — March 30, 2024 Dark Web Disclosure
What was disclosed: A 73-million-row dataset surfaced on a hacker forum. AT&T confirmed the data appeared to relate to approximately 7.6 million current account holders and approximately 65.4 million former account holders.
Nature of data: Names, Social Security numbers (full or partial), email addresses, phone numbers, addresses, dates of birth, AT&T account numbers. For some users, AT&T passcodes (4-digit PIN numbers used to authenticate account changes) were included.
Origin of data: AT&T initially said the data was from 2019 or earlier and that it could not confirm the data came from its own systems or a vendor. The origin question is relevant to legal theories (AT&T’s own security vs. a vendor’s).
Immediate risk: SSN exposure is the most serious element. SSNs are used to open credit accounts, file tax returns, access medical care, and authenticate to government agencies. SSN compromise creates multi-year identity theft risk.
AT&T Breach 2 — July 12, 2024 Snowflake Disclosure
What was disclosed: AT&T disclosed in an SEC filing that a threat actor had accessed AT&T data stored in a third-party Snowflake cloud environment. Exfiltrated data covered calls and texts made through AT&T’s network during approximately May through October 2022 and January 2, 2023.
Nature of data: Call detail records (CDRs) — not the content of communications, but metadata: telephone numbers of every call and text partner, call/text dates and approximate duration, and in some cases the cell tower identification data that approximates geographic location.
Scale: Per AT&T’s SEC filing, approximately 110 million customers were affected — encompassing essentially all AT&T wireless customers during the affected period.
The Snowflake context: Multiple major companies’ data was compromised from Snowflake-hosted environments around the same time, including Ticketmaster (Live Nation), Santander Bank, and others. Investigators linked the breach to a threat actor who targeted companies with Snowflake credentials but without multi-factor authentication enabled on their Snowflake environments.
Why Call-Record Metadata Matters
The July breach involved metadata, not content. This distinction is legally meaningful (content has higher statutory protection under the Electronic Communications Privacy Act) but does not mean metadata is harmless.
Call-record metadata reveals:
- Your social and professional network (everyone you called or texted)
- Medical appointments and sensitive services (calls to doctors, clinics, therapy practices, addiction services, legal counsel)
- Financial activity (calls to banks, mortgage companies, creditors)
- Relationship patterns (frequency of contact with specific numbers)
- Physical location (cell tower data approximates where you were when making calls)
For certain individuals — attorneys whose client communications may be identifiable, domestic violence survivors whose contact with shelters or support services was recorded, healthcare workers whose clinical contacts appear in the data — the metadata exposure creates serious professional and safety risks.
Legal protection for metadata: The Electronic Communications Privacy Act (ECPA), 18 U.S.C. § 2510 et seq., regulates the interception and disclosure of wire communications. While ECPA provides stronger protection for content than metadata, state laws (including state wiretapping analogs and consumer protection laws) may provide additional remedies for metadata-based privacy violations.
The Settlement: $177 Million Across Two Breach Classes
Settlement structure:
- AT&T Breach 1 class: $149 million
- AT&T Breach 2 component: separate allocation
- Combined total: $177 million
Claim filing process: The official settlement website is telecomdatasettlement.com. As of April 2026, the court had not yet issued a final approval order (the Final Approval Hearing was January 15, 2026). Do not interpret “hearing was held” as “final approval was granted” — monitor the website for the actual order.
What the settlement covers:
- Documented out-of-pocket losses related to the breach (identity theft losses, fraud, credit monitoring costs)
- Time spent dealing with breach consequences (at a specified hourly rate)
- Statutory and general damages under applicable laws
Per-claimant recovery: With approximately 110 million potential claimants for Breach 2 alone, per-person base recovery will be limited. Claims filing is still worthwhile: it costs minimal time, preserves legal rights, and higher recoveries go to those who document specific out-of-pocket losses.
Legal Theories Underpinning the Litigation
Negligence: AT&T owed a duty of care to protect customer data entrusted to it. Both breaches allegedly resulted from failures in security architecture, vendor management, and monitoring.
Breach of contract: AT&T’s service agreements and privacy policies contain representations about data security. The breaches violated these representations.
Negligence per se / FTC Act violations: The Federal Trade Commission Act Section 5 prohibits unfair or deceptive acts or practices. Failure to maintain reasonable data security for sensitive consumer information is an FTC enforcement priority. FTC Act violations can establish negligence per se in some state courts.
Electronic Communications Privacy Act (ECPA), 18 U.S.C. § 2701: The Stored Communications Act (SCA), as part of ECPA, protects stored communications and transactional records. Unauthorized access to AT&T’s stored call records may implicate SCA provisions.
State consumer protection laws (UDAP): Every state has unfair and deceptive acts or practices (UDAP) statutes. AT&T’s failure to adequately protect consumer data may constitute a deceptive trade practice in states with broad UDAP coverage.
State data breach notification laws: All 50 states have breach notification statutes requiring timely disclosure to affected individuals. Delayed notification — or failure to notify at all — can constitute an independent statutory violation.
Statute of Limitations: State-by-State Reference
| State | Data Breach SOL | Consumer Protection SOL | Discovery Rule |
|---|---|---|---|
| California | 2 years | 4 years (UCL) | Yes |
| Texas | 2 years | 4 years (DTPA) | Yes |
| New York | 3 years | 3 years | Yes |
| Florida | 4 years | 4 years (FDUTPA) | Yes |
| Illinois | 2 years | 3 years (Consumer Fraud Act) | Yes |
| Pennsylvania | 2 years | 6 years (UTPCPL) | Yes |
| New Jersey | 2 years | 6 years | Yes |
| Ohio | 2 years | 2 years | Yes |
AT&T Breach 1: SOL typically runs from March 30, 2024 (public disclosure). Breach 1 claimants in 2-year states have until approximately March 30, 2026.
AT&T Breach 2: SOL typically runs from July 12, 2024. Breach 2 claimants in 2-year states have until approximately July 12, 2026.
Note that MDL participation requires filing a claim through the settlement process or, for opt-out plaintiffs, a Short Form Complaint in the MDL. Consult an attorney promptly.
Scenario: An AT&T Customer’s Identity Theft Experience
Background: A 52-year-old independent contractor in Texas. He was an AT&T wireless customer from 2017 through 2024. He received an AT&T breach notification by email in April 2024 following the March disclosure.
What happened after the breach: In June 2024, he discovered three credit card accounts had been opened in his name at banks he did not use. The accounts totaled approximately $12,000. Closing them required 14 hours of calls, credit bureau disputes, and two months of monitoring.
His damages:
- Out-of-pocket time (14 hours × hourly rate established in settlement = documented time loss)
- Credit monitoring costs (he purchased a monitoring service after the breach)
- No direct financial loss from the fraudulent accounts (the banks closed them without requiring him to pay), but the stress, time, and disruption are compensable
Evidence he gathered:
- AT&T breach notification email (saved and printed)
- Credit monitoring alerts from June 2024
- Credit bureau dispute letters and responses
- Time log of calls, disputes, and hours spent resolving the fraud
- Documentation from each bank confirming account closure
Steps taken: He filed a claim through telecomdatasettlement.com for Breach 1, also documenting his out-of-pocket losses for enhanced recovery.
This scenario illustrates the typical evidence pattern for a documented-harm claimant — a strong claim even if the per-person base recovery is modest.
Immediate Security Steps: What Every AT&T Customer Should Do
Regardless of litigation participation, all AT&T customers should take these steps now:
For SSN exposure (Breach 1):
-
Credit freeze — contact all three bureaus:
- Equifax: equifax.com (1-800-349-9960)
- Experian: experian.com (1-888-397-3742)
- TransUnion: transunion.com (1-888-909-8872)
- A credit freeze is free and prevents new credit from being opened in your name
-
Annual credit report check — annualcreditreport.com (free, all three bureaus)
-
IRS Identity Protection PIN — apply at irs.gov/identity-theft-fraud-scams/get-an-identity-protection-pin
- Prevents someone from filing a fraudulent tax return using your SSN
- PIN changes annually; renew it each year
-
AT&T passcode reset — if you have an AT&T account, change your PIN/passcode now
For call-record metadata exposure (Breach 2):
-
Be alert to highly personalized phishing — attackers with your call records know who your doctors, lawyers, and financial advisors are, and can construct extremely convincing fraudulent contacts from “your doctor’s office” or “your bank”
-
Notify sensitive contacts — if your call records include contact with attorneys, medical specialists, or domestic violence resources, you may want to alert those professionals to the exposure
What to Do Right Now
-
Save all AT&T breach notifications. Forward to yourself and print them.
-
Freeze your credit immediately at all three bureaus. This is the single most effective identity theft prevention measure.
-
Check telecomdatasettlement.com for current claim filing instructions and deadlines.
-
Document any breach-related losses. Keep records of time spent, credit monitoring costs, and any fraudulent accounts.
-
Consult an attorney if you have significant documented losses. Those with identity theft, fraudulent accounts, or other concrete harms may warrant individual representation beyond the settlement.
-
File before your SOL runs. March 2026 (2-year states) and July 2026 (2-year states) are fast approaching for Breach 1 and Breach 2 claims respectively.
Related Data Privacy and Mass Tort Litigation
- 23andMe Data Breach Class Action Lawsuit 2026
- GLP-1 NAION Vision Loss Lawsuit MDL 3163 2026
- JUUL E-Cigarette Teen Addiction Lawsuit MDL 2913 2026
- Hawaii Maui Wildfire Lawsuit 2026
- Exactech Knee Hip Recall Lawsuit MDL 3044 2026
This article is for informational purposes only and does not constitute legal advice. Consult a qualified attorney for advice specific to your situation. Laws vary by state and individual circumstances. Information current as of May 2026; the settlement approval process is ongoing and details may change.
What is MDL 3114?
MDL 3114 is 'In re: AT&T Inc. Customer Data Security Breach Litigation,' Case No. 3:24-md-03114-E, pending in the U.S. District Court for the Northern District of Texas (N.D. Tex.) before Judge Ada E. Brown. The MDL was created in June 2024 to consolidate lawsuits arising from two 2024 AT&T data breaches.
What were the two AT&T data breaches?
AT&T Breach 1: On March 30, 2024, AT&T disclosed that a dataset of customer data — believed to originate from 2019 or earlier — had appeared on the dark web. It reportedly included names, Social Security numbers (full or partial), email addresses, phone numbers, birth dates, and AT&T account numbers for tens of millions of current and former customers. AT&T Breach 2: On July 12, 2024, AT&T disclosed that call and text metadata (not content) had been exfiltrated from a third-party Snowflake-hosted cloud environment. Per AT&T's SEC filing, approximately 110 million customers' call and text records were affected.
What is the settlement amount?
The total settlement is $177 million — $149 million for the AT&T Breach 1 class, with a separate component for AT&T Breach 2. A Consolidated Class Action Complaint was filed May 30, 2025. The Final Approval Hearing was held January 15, 2026. As of April 2026, the court was still considering final approval per the settlement website (telecomdatasettlement.com).
Who was appointed to lead the plaintiffs?
Shauna Itri of Seeger Weiss LLP was appointed as Chair of the Plaintiffs' Executive Committee (PEC) on August 14, 2024.
Do I qualify if AT&T never sent me a breach notification?
Breach notification by AT&T establishes that your data was likely included, but absence of a specific notification does not necessarily mean you were unaffected. If you were an AT&T customer during the relevant periods (prior to March 30, 2024, or prior to July 12, 2024), consult an attorney to determine eligibility.
What data was in the March 2024 dark-web disclosure?
The March 2024 AT&T Breach 1 dataset reportedly included for tens of millions of current and former customers: full names, Social Security numbers (full or partial), email addresses, telephone numbers, dates of birth, AT&T account numbers, and in some cases passcodes.
What data was in the July 2024 Snowflake breach?
AT&T Breach 2 involved call detail records (CDRs) — not the content of calls or texts, but metadata: the phone numbers of who called whom, when, how long, and in some cases cell tower location data that can be used to approximate a caller's location.
What is Snowflake's role — is it a defendant?
Snowflake is the cloud data storage platform where AT&T stored the compromised call-record data. AT&T's environment on Snowflake was compromised, along with other major companies using Snowflake (including Ticketmaster and Santander). AT&T is the primary defendant in MDL 3114. Snowflake itself is not the primary target of these claims.
What is the statute of limitations for an AT&T breach claim?
State statutes of limitations for data breach and privacy claims vary from 1 to 4 years. Under the discovery rule, the clock typically starts when you knew or reasonably should have known of the breach — typically the date of AT&T's public disclosure (March 30, 2024 for Breach 1; July 12, 2024 for Breach 2). Consult an attorney immediately to assess your specific deadline.
What steps should I take to protect myself right now?
Immediately place credit freezes with all three bureaus (Equifax, Experian, TransUnion) — free by law. Review your credit report for unfamiliar accounts. Request an IRS Identity Protection PIN to prevent tax fraud using your SSN. Change your AT&T account password and enable two-factor authentication. Monitor for suspicious calls, texts, or emails referencing your personal data.
What is the official settlement website?
telecomdatasettlement.com is the official settlement website for AT&T Breach 1. Check this site for current claim filing status and deadlines given that final approval was still pending as of April 2026.
관련 글
Hawaii Maui Wildfire Lawsuit 2026: $4.037B Settlement, Eligibility & How to File
23andMe Data Breach Class Action MDL 3098: $30M Settlement, Bankruptcy & Claims 2026
JUUL E-Cigarette Teen Addiction Lawsuit MDL 2913: Settlement, Claims & 2026 Update
GLP-1 NAION Vision Loss Lawsuit MDL 3163: Ozempic, Wegovy & Trulicity Eye Injury Claims 2026
Asbestos Trust Fund Claims for US Navy Veterans With Mesothelioma: 2026 Guide
