AT&T to Pay $177M in Settlement After Dual Data Breaches Expose Over 180 Million Records
Why This Alert Is Important
This case sets a sobering precedent: data breaches don’t just impact customers — they reverberate across regulatory, legal, and reputational dimensions. What’s striking is how long the exposure remained unacknowledged and unmitigated. The use of poorly secured third-party cloud environments and a lack of transparent breach response led to one of the largest privacy settlements in U.S. history.
Overview of the Enforcement Action
What Happened in the AT&T Breaches
AT&T has agreed to a $177 million settlement to resolve class action lawsuits stemming from two massive data breaches — one dating back to 2019 and another in 2024 — that together compromised sensitive personal and behavioral information of over 180 million U.S. customers.
The first breach, claimed by the hacking group ShinyHunters, leaked names, Social Security numbers, birthdates, and login passcodes of 73 million current and former AT&T customers. The second breach, traced to AT&T’s third-party cloud storage provider Snowflake, exposed call and text metadata — including timestamps, contact numbers, and geolocation details — for nearly 109 million individuals.
Though AT&T has denied responsibility, a U.S. District Court has granted preliminary approval for the $177 million payout. The settlement prioritizes customers who can provide evidence of direct financial harm, with potential payments of up to $5,000 (2019 breach) or $2,500 (2024 breach). Notices to eligible individuals will be sent beginning August 4, 2025, and payments are expected in early 2026.
What it covers
Implications of the AT&T Breach Settlement for Organizations
Blind spots into the data you hold (or third parties hold on your behalf) can routinely cost organizations 7, 8, and even 9 figure fines–and that doesn’t include additional lost revenue due to reputational damage. Regulators and courts are making one thing clear: organizations must know exactly where personal data resides — and who can access it. The AT&T breach underscores a critical gap many companies face: lack of visibility and control over data held in third-party and cloud environments.
Technology can help, both with understanding the data your organization holds and managing third-party risk. An automated data mapping solution can help you keep a firm grasp on what data you hold, where it is, and what processing activities are being performed. Look for a solution that can:
- Continuously discover and inventory structured and unstructured data
- Detect and classify personal data across internal and third-party systems
- Maintain audit-ready records of processing
- Surface cross-border data flows and high-risk storage locations
“AT&T’s $177 million settlement underscores a critical truth: you can’t protect what you can’t see. The real failure wasn’t just the breach; it was the blindness to data risk across third-party and cloud environments. Both incidents revealed massive visibility gaps: one in proprietary infrastructure, the other in outsourced storage. In today’s regulatory landscape, delayed data discovery and unclear data ownership aren’t just operational weaknesses — they’re legal liabilities. Organizations must implement continuous, automated data mapping and third-party risk monitoring to avoid becoming the next headline. When visibility is low, breach latency is high and so is the cost.”Fahad Diwan, JD, FIP, CIPP/M, CIPP/C, Director of Product, Privacy, Exterro
Data Privacy Tip
Explore how your organization can evaluate its data governance posture and reduce exposure to breach-driven liability. Get started with our Privacy Program Assessment Checklist
