Quick Answer Box
– What is this case? AT&T faces consolidated federal class action litigation over two separate data breaches affecting an estimated 73 to 110 million current and former customers, with cases centralized in the Northern District of Texas under MDL No. 3114.
– Who qualifies? Current and former AT&T wireless and wireline customers whose personal data, including Social Security numbers, call records, or account credentials, appeared in either the 2021 dark web dataset or the 2024 confirmed network breach.
– What is it worth? Individual payouts in data breach class actions of this scale typically range from $50 to $5,000 depending on documented harm, with higher awards available to claimants who can show identity theft, financial loss, or out-of-pocket expenses directly tied to the breach.
Case Snapshot
| Detail | Information |
|---|---|
| Court | U.S. District Court, Northern District of Texas, Dallas Division |
| MDL Number | MDL No. 3114 — In re: AT&T Inc. Customer Data Security Breach Litigation |
| Presiding Judge | Judge Sam A. Lindsay |
| Initial Filing Date | April 2024 (first wave of class actions following AT&T's public confirmation) |
| Status (as of 2026) | Active litigation; class certification proceedings ongoing |
| Settlement Fund | No final settlement announced as of publication; negotiations reported in progress |
| Estimated Affected Accounts | 73 million (2021 dataset) / 110 million (2024 call records breach) |
| Defendant | AT&T Inc. |
| Regulatory Actions | FCC investigation confirmed; FTC inquiry reported |
The AT&T data breach lawsuit stands as one of the largest telecommunications data breach litigations in U.S. federal court history. Two distinct breach events, separated by three years, generated a wave of federal class actions that the Judicial Panel on Multidistrict Litigation consolidated into a single proceeding in the Northern District of Texas.
For claimants, the distinction between the two breaches matters. Each maps to a different population of affected customers. Each carries different legal theories and different categories of recoverable damages.
The litigation is active. Class certification is contested. Settlement negotiations are proceeding behind closed doors as of early 2026.
Readers who believe their data was compromised have a narrowing window. Statutes of limitations run from the date of discovery, and courts have taken a hard line on late-filed claims in MDL proceedings of this size.
What Is the AT&T Data Breach Lawsuit?
The AT&T data breach lawsuit refers to consolidated federal class action litigation brought against AT&T Inc. for failing to protect the personal data of tens of millions of customers across two separate security failures.
The first event traces to a dataset that surfaced on dark web forums in 2021, containing records attributed to approximately 73 million AT&T customers. AT&T initially denied the data was authentic. The company reversed that position in March 2024, confirming the data was real and that it originated from AT&T systems.
The second event, disclosed in July 2024, involved AT&T's call and text record metadata for nearly all wireless customers over a six-month period in 2022. This breach was linked to a compromise of a third-party cloud platform, identified in reporting as Snowflake.
*Attorney Insight: Attorneys handling these claims point to AT&T's three-year delay in confirming the 2021 dataset as a central argument in the negligence and breach of implied contract theories — the company's own admissions undercut its early defenses.*
Key Facts at a Glance:
- Defendant: AT&T Inc.
- Court: U.S. District Court, Northern District of Texas
- MDL No.: 3114
- Confirmed breach dates: March 2024 (2021 dataset disclosure); July 2024 (2022 call records)
- Estimated affected individuals: Up to 110 million across both events
AT&T Data Breach Class Action Lawsuit: How the Cases Were Filed
The AT&T data breach class action lawsuit began with individual filings in multiple federal districts within days of AT&T's March 2024 public confirmation.
Plaintiffs' firms filed complaints in the Northern District of Texas, the Southern District of New York, and the Central District of California, among others. The Judicial Panel on Multidistrict Litigation (JPML) consolidated the cases into MDL No. 3114, assigned to the Northern District of Texas, Dallas Division, before Judge Sam A. Lindsay.
The legal theories advanced across the consolidated complaints include negligence, negligence per se, breach of implied contract, unjust enrichment, and violations of state consumer protection statutes. Several complaints specifically invoke the California Consumer Privacy Act (CCPA) and the Texas Identity Theft Enforcement and Protection Act.
*Attorney Insight: Attorneys handling these claims note that the negligence per se theory is particularly strong where AT&T's conduct can be measured against FCC data security rules for telecommunications carriers, which carry a clear duty-of-care standard.*
Primary Legal Theories in the MDL:
| Legal Theory | Basis |
|---|---|
| Negligence | Failure to implement reasonable data security |
| Negligence Per Se | Violation of FCC CPNI rules and federal standards |
| Breach of Implied Contract | AT&T's privacy representations to customers |
| Unjust Enrichment | AT&T profited from data without adequate protection |
| State Statutory Claims | CCPA (California), TITEPA (Texas), and others |
AT&T Data Breach Lawsuit Status in 2026
As of early 2026, the AT&T data breach lawsuit remains in active litigation before Judge Sam A. Lindsay in the Northern District of Texas.
Following consolidation in late 2024, the court entered a case management schedule governing discovery, motion practice, and class certification briefing. Plaintiffs filed their motion for class certification in late 2025. AT&T's opposition brief challenged Article III standing for claimants who cannot demonstrate concrete, particularized harm beyond the exposure of data.
The standing question is the litigation's most contested legal fault line. Courts have split on whether the risk of future identity theft satisfies the "concrete injury" requirement under *TransUnion LLC v. Ramirez*, 594 U.S. 413 (2021). The outcome of that question in the Northern District of Texas will determine how many millions of claimants remain in the class.
*Attorney Insight: Attorneys handling these claims observe that claimants with documented identity theft events, fraudulent account openings, or out-of-pocket expenses after the breach have measurably stronger standing arguments than those asserting only the risk of future harm.*
2026 Litigation Milestones:
- Class certification motion filed: Late 2025
- AT&T opposition brief: Filed, early 2026
- Ruling on class certification: Anticipated mid-to-late 2026
- Settlement discussions: Reported ongoing, no agreement announced
- Trial date: Not yet set
AT&T Data Breach MDL: Court, Judge, and Docket Details
MDL No. 3114, formally styled *In re: AT&T Inc. Customer Data Security Breach Litigation*, is centralized in the U.S. District Court for the Northern District of Texas, Dallas Division.
The Judicial Panel on Multidistrict Litigation transferred cases from multiple districts to the Northern District of Texas in recognition of AT&T's corporate headquarters in Dallas and the factual overlap across all filed complaints.
Judge Sam A. Lindsay, a senior U.S. District Judge with extensive experience presiding over complex civil litigation, is the assigned judge. The court has issued several case management orders governing the pace of discovery and the sequencing of class certification briefing.
*Attorney Insight: Attorneys handling these claims flag that the Northern District of Texas is considered a relatively defense-friendly forum, which makes vigorous class certification advocacy and a strong standing argument especially critical for plaintiffs' counsel.*
MDL Docket Quick Facts:
| Item | Detail |
|---|---|
| MDL Designation | MDL No. 3114 |
| Formal Case Name | In re: AT&T Inc. Customer Data Security Breach Litigation |
| Court | U.S. District Court, N.D. Texas, Dallas Division |
| Assigned Judge | Judge Sam A. Lindsay |
| Transferring Panel | Judicial Panel on Multidistrict Litigation (JPML) |
| Primary Discovery Period | 2024 to 2026 |
Litigation Watch: The MDL consolidation in the Northern District of Texas is favorable to AT&T from a venue standpoint, making the class certification ruling — expected mid-to-late 2026 — the case's most consequential near-term event.
AT&T Data Breach 2021 vs. 2024: Two Breaches, Two Legal Paths
The AT&T data breach litigation involves two distinct security events, each with a different affected population, different data types, and different legal exposure.
The 2021 dataset contains full consumer records including names, addresses, dates of birth, Social Security numbers, and encrypted account PINs. AT&T confirmed in March 2024 that this data originated from its systems, affecting approximately 73 million current and former account holders. The company's three-year delay in confirming the breach is a central fact in plaintiffs' negligence and concealment arguments.
The 2024 call records breach, disclosed in July 2024, involved metadata — specifically, records of which numbers called which other numbers and when, covering a six-month window in 2022. This event affected nearly all AT&T wireless customers. While metadata may seem less sensitive, plaintiffs argue that call pattern data can reveal medical providers, legal counsel, financial relationships, and other private associations.
*Attorney Insight: Attorneys handling these claims treat these as two analytically separate matters. A claimant from the 2021 dataset has a different damages profile than one whose call records were exposed in 2024 — and some claimants are in both groups, which strengthens their overall case.*
Side-by-Side Breach Comparison:
| Factor | 2021 Dataset Breach | 2024 Call Records Breach |
|---|---|---|
| Confirmed Date | March 2024 | July 2024 |
| Data Period | Records up to 2021 | Six-month window in 2022 |
| Estimated Affected | ~73 million | ~110 million |
| Data Type | SSNs, DOBs, addresses, PINs | Call/text metadata |
| Third Party Involved | Not confirmed | Snowflake (cloud platform) |
| Primary Legal Risk | Identity theft, fraud | Privacy exposure, profiling |
What Data Was Stolen in the AT&T Breach?
The categories of data compromised across the two AT&T breach events differ significantly, and the distinction affects both the type of harm claimants can allege and the strength of their damages case.
In the 2021 dataset, the compromised data included full names, home addresses, phone numbers, dates of birth, Social Security numbers, AT&T account numbers, and encrypted account passcodes. AT&T confirmed in its March 2024 disclosure that some data appeared to date back to 2019 or earlier, meaning records from customers who had already closed their accounts were included.
In the 2024 call records breach, the compromised data was limited to metadata rather than content. Specifically, records of which phone numbers communicated with which other numbers, on which dates, and for how long, for a period from approximately May to October 2022. The content of calls and texts was not captured. However, metadata alone can expose sensitive patterns.
*Attorney Insight: Attorneys handling these claims note that Social Security number exposure from the 2021 dataset creates a long-tail damages argument — identity theft facilitated by exposed SSNs can occur years after initial exposure, which courts have recognized as a basis for future harm damages.*
Data Compromised by Category:
- 2021 Breach: Full name, physical address, phone number, date of birth, Social Security number, AT&T account number, encrypted account PIN
- 2024 Breach: Call metadata (originating number, receiving number, call date, call duration), cell site location data for a subset of records
- Not Compromised in 2024: Content of calls or texts, credit card or payment information
Who Qualifies for the AT&T Data Breach Lawsuit?
Qualification for the AT&T data breach lawsuit turns on two primary factors: whether an individual's data was included in one or both breach events, and whether that individual can demonstrate some form of legally cognizable harm.
Current and former AT&T wireless and wireline customers whose records appear in the 2021 dataset are the primary plaintiff class for the most serious claims. This includes individuals who were AT&T customers at any point before 2021 and whose Social Security numbers or other identifiers are in the confirmed dataset. Former customers whose accounts were closed before the breach still qualify if their records were retained.
For the 2024 call records breach, the qualifying population includes virtually every AT&T wireless customer who had an active account during the May to October 2022 window.
*Attorney Insight: Attorneys handling these claims consistently advise that claimants who can document any concrete harm — a fraudulent credit inquiry, an unauthorized account opening, or documented expenses for credit monitoring — stand in a substantially better position for individual recovery.*
General Qualification Criteria:
| Criterion | 2021 Breach Claimant | 2024 Breach Claimant |
|---|---|---|
| AT&T customer before 2021 | Required | Not required |
| Active account in mid-2022 | Not required | Required |
| SSN in confirmed dataset | Strengthens claim | Not applicable |
| Documented financial harm | Strongly preferred | Helpful but not required |
| Received AT&T breach notice | Qualifies | Qualifies |
| Former customer, closed account | May still qualify | Unlikely to qualify |
Litigation Watch: The standing question — whether exposure alone constitutes a concrete injury — will determine whether the class includes tens of millions of claimants or is narrowed to those with documented harm.
AT&T Data Breach Eligibility Requirements Explained
Eligibility for the AT&T data breach class action is governed by the class definition the court certifies, which has not yet been finalized as of early 2026. The proposed class definitions in plaintiffs' filings set out the framework currently before the court.
For the 2021 dataset class, plaintiffs propose a class of all U.S. residents who were AT&T customers and whose personal information was included in the breach dataset AT&T confirmed in March 2024. Sub-classes are proposed for residents of states with heightened data privacy statutes, including California, Illinois, and Texas.
For the 2024 call records class, plaintiffs propose a class of all AT&T wireless subscribers whose call and text metadata was compromised during the 2022 breach window. This class skews toward current customers and does not rely on Social Security number exposure.
*Attorney Insight: Attorneys handling these claims point to the proposed state sub-classes as a strategic choice — California's CCPA, for instance, provides statutory damages of $100 to $750 per consumer per incident, which can be substantial at class scale even without individual proof of harm.*
Eligibility at a Glance:
- Received AT&T notification of breach involvement
- Was an AT&T customer during the relevant period
- Had personal data included in the confirmed breach dataset
- Is a U.S. resident
- Has not previously settled or released claims against AT&T for this event
- Filed or intends to file within applicable statutes of limitations
Which States Are Most Affected by the AT&T Data Breach?
The AT&T data breach affected customers across all 50 states, but the legal impact varies by state depending on applicable data privacy and consumer protection statutes.
Three states stand out for the strength of their data breach-specific legal frameworks. California residents benefit from the California Consumer Privacy Act (CCPA), which allows statutory damages between $100 and $750 per consumer per incident without requiring proof of actual harm. Illinois residents with biometric data implicated in any related breach can invoke BIPA, which provides $1,000 to $5,000 per violation. Texas residents have protections under the Texas Identity Theft Enforcement and Protection Act, which provides a private right of action for exposed residents.
Florida, New York, and Washington also have strengthened data breach notification laws, though their private right of action provisions are narrower than California's.
*Attorney Insight: Attorneys handling these claims frequently advise California residents that CCPA standing is easier to establish than Article III federal standing, and that a state court filing may preserve stronger recovery options for California-based claimants.*
State-by-State Legal Advantage Comparison:
| State | Governing Statute | Key Advantage |
|---|---|---|
| California | CCPA / CPRA | $100-$750 statutory damages, no injury proof needed |
| Illinois | BIPA (if biometrics involved) | $1,000-$5,000 per violation |
| Texas | TITEPA | Private right of action, identity theft damages |
| Florida | FIPA | Notification rights, limited private action |
| New York | SHIELD Act | Expanded definition of private info |
| Washington | My Health MY Data Act (2024) | Enhanced health data protections |
AT&T Data Breach Settlement 2026: Where Things Stand
No final AT&T data breach settlement has been announced as of early 2026. The litigation remains in active class certification proceedings before Judge Sam A. Lindsay.
Settlement negotiations in MDL cases of this scale typically occur in parallel with litigation. Plaintiffs' and defense counsel in complex class actions frequently engage mediators while briefing and discovery continue. The absence of an announced settlement does not indicate that negotiations have not occurred — it indicates that the parties have not reached agreement on terms the court would approve.
The class certification ruling, expected in mid-to-late 2026, is the most likely catalyst for a settlement announcement. AT&T faces significant financial and reputational pressure to resolve the litigation before a certified class of tens of millions of claimants proceeds to merits discovery.
*Attorney Insight: Attorneys handling these claims note that AT&T settled the FCC's parallel regulatory investigation into the 2024 breach for $13 million in January 2025, a figure plaintiffs' counsel has cited in briefing as evidence of corporate acknowledgment of liability.*
Settlement Timeline Projection:
| Milestone | Expected Timing |
|---|---|
| Class certification ruling | Mid-to-late 2026 |
| Settlement negotiations intensify | Post-certification |
| Preliminary settlement agreement | Late 2026 or early 2027 (projected) |
| Court approval process | 6 to 12 months post-agreement |
| Distribution to claimants | 2027 or later (projected) |
Litigation Watch: AT&T's $13 million FCC settlement in January 2025 is the only confirmed financial resolution of any kind — the civil class action remains unresolved heading into mid-2026.
AT&T Data Breach Class Action Settlement Amount
No total settlement fund has been announced. Analysts and plaintiff-side attorneys working in the data breach space have referenced comparable settlements to project a probable range.
The largest U.S. data breach settlements provide useful benchmarks. T-Mobile reached a $350 million settlement in 2022 covering approximately 76 million affected customers. Equifax settled for $700 million (with $425 million going to a consumer restitution fund) for a breach affecting 147 million people. Both cases involved Social Security number exposure comparable to what AT&T has confirmed.
Applying those settlement-per-claimant ratios to the AT&T breach, a total fund in the range of $200 million to $400 million is within the analytical range for the 2021 dataset breach claims. The 2024 metadata breach, which does not involve SSN exposure, would likely command a smaller per-person figure.
*Attorney Insight: Attorneys handling these claims acknowledge that final settlement fund size is always subject to what AT&T's litigation counsel and the court ultimately negotiate, but the Equifax and T-Mobile precedents create a credible floor for plaintiffs' demands.*
Comparable Data Breach Settlements:
| Company | Settlement Amount | Affected Individuals | SSN Exposed |
|---|---|---|---|
| Equifax (2019) | $700 million total / $425M consumer fund | 147 million | Yes |
| T-Mobile (2022) | $350 million | 76 million | Yes |
| Capital One (2021) | $190 million | 98 million | Yes |
| AT&T (projected) | $200M-$400M (no agreement yet) | 73M-110M | Yes (2021 breach) |
AT&T Data Breach Payout Per Person: What Claimants Can Expect
Individual payout amounts in the AT&T data breach lawsuit will depend on the total settlement fund, the number of valid claims filed, and the extent to which each claimant can document harm.
In comparable settlements, the base payment for claimants who file without documented harm — known as a "general damages" or "general award" tier — has ranged from $50 to $100 per person. Claimants who submit proof of out-of-pocket expenses, such as credit monitoring costs, identity theft insurance, or time spent remedying fraud, have received between $500 and $1,000 in enhanced awards.
Claimants who can document actual identity theft, fraudulent account openings, or financial losses directly traceable to the breach represent the highest-value tier. In the Equifax settlement, this tier produced awards up to $20,000 for documented losses.
*Attorney Insight: Attorneys handling these claims consistently advise clients to preserve every document related to identity theft activity since the breach — bank statements showing unauthorized transactions, credit reports showing new accounts, and any correspondence with creditors about fraudulent activity.*
Projected Payout Tiers:
| Claimant Category | Estimated Payout Range |
|---|---|
| Basic claim, no documented harm | $50 to $100 |
| Out-of-pocket expenses documented | $100 to $1,000 |
| Time spent remediating fraud | $75 to $250 (in addition to expenses) |
| Documented identity theft or financial loss | $1,000 to $5,000+ |
| Severe documented harm (California CCPA tier) | Up to $750 per incident, statutory |
AT&T Data Breach Compensation: How Damages Are Calculated
Damages in the AT&T data breach lawsuit are calculated using legal categories that courts apply in data breach class actions, not a simple flat-payment formula.
Actual damages cover quantifiable losses: fraudulent charges, costs of credit freezes, identity theft remediation services, and lost time with a reasonable hourly value assigned by the court. Courts have used $25 per hour as a reference figure for time-based damages in recent settlements.
Statutory damages apply in states like California and Illinois, where no proof of actual harm is required. Under the CCPA, each consumer whose data was accessed without authorization is entitled to between $100 and $750 per incident, or actual damages if greater.
Consequential damages cover harms that flow from the breach itself — missed work, fraudulent debt collection, damaged credit scores — but require documentation and a traceable causal link to the specific data exposed.
*Attorney Insight: Attorneys handling these claims note that the strongest damages presentations combine all three categories — actual documented losses, plus time-based claims, plus applicable statutory awards — to maximize the individual recovery from any settlement tier.*
Damages Categories in the AT&T Case:
- Actual damages: Provable financial losses tied to the breach
- Time-based damages: Hours spent remedying breach consequences
- Statutory damages: CCPA ($100-$750), BIPA ($1,000-$5,000) where applicable
- Credit monitoring costs: If purchased post-breach notification
- Emotional distress: Available in some state courts, limited in federal MDL
Litigation Watch: Claimants who document every expense, every hour of remediation time, and every fraudulent account linked to the breach will be positioned for the highest recovery tier regardless of the final settlement structure.
AT&T Data Breach Claim Deadline: What You Need to Know
The AT&T data breach claim deadline has two distinct components: the statute of limitations for filing a lawsuit or joining the class, and the claims submission deadline that will be set after a settlement is approved.
For individuals who have not yet taken legal action, the statute of limitations under federal negligence law and most state analogs runs from the date the plaintiff discovered, or reasonably should have discovered, the breach. AT&T's March 2024 public confirmation of the 2021 breach is the trigger date courts are most likely to use for the discovery clock. That places the standard two-year limitations period at approximately March 2026 for some state law claims.
California's CCPA private right of action has its own limitations period. Texas and Illinois statutes vary. The practical advice from litigation counsel is consistent: the window to preserve the strongest available claims is closing.
*Attorney Insight: Attorneys handling these claims note that joining the MDL class does not require filing an independent lawsuit — but documenting harm, preserving records, and consulting with counsel before any applicable deadline is critical to preserving options.*
Claim Deadline Reference Table:
| Deadline Type | Timing |
|---|---|
| Federal negligence SOL (2021 breach) | ~March 2026 (2 years from AT&T's confirmation) |
| California CCPA private action SOL | 3 years from discovery |
| Texas TITEPA SOL | 2 years from discovery |
| Illinois consumer protection SOL | 5 years from discovery |
| MDL claims submission deadline | Set by court post-settlement (not yet announced) |
| FCC complaint period | Closed (FCC settlement finalized January 2025) |
How to File an AT&T Data Breach Claim
Filing a claim in the AT&T data breach lawsuit involves distinct steps depending on whether the claimant is pursuing an individual lawsuit, joining existing class claims, or awaiting a court-approved claims process after settlement.
At the present stage — with class certification still pending — the primary action for most potential claimants is to consult with an attorney who handles data breach class actions and to preserve all relevant documentation. Mass participation in a claims portal, similar to what occurred in the Equifax settlement, will only become available after a settlement is reached and the court approves a distribution plan.
Individual claimants with documented substantial harm — significant financial losses, serious identity theft, or demonstrable consequential damages — may have stronger grounds to pursue independent claims or opt out of any class settlement for individual litigation.
*Attorney Insight: Attorneys handling these claims advise claimants to take three immediate steps: run a credit report from all three major bureaus, place a credit freeze if not already done, and document every expense or time spent dealing with any fraud since March 2024.*
Step-by-Step for Claimants Right Now:
- Confirm whether you received an AT&T breach notification letter
- Obtain credit reports from Equifax, Experian, and TransUnion
- Document any suspicious activity since 2021 (or since receiving the notice)
- Preserve all records — account statements, correspondence, receipts for monitoring services
- Consult a data breach class action attorney before applicable deadlines
- Do not sign any release or accept any compensation from AT&T without legal review
- Monitor the MDL docket for claims portal announcements post-settlement
AT&T Data Breach Attorney: What Type of Lawyer Handles This
The AT&T data breach lawsuit is handled by plaintiff-side class action attorneys who specialize in consumer data privacy litigation, not general practice lawyers or personal injury attorneys.
This distinction matters. Data breach class actions require attorneys with specific experience in MDL procedure, Article III standing doctrine, class certification strategy, and the intersection of state consumer protection statutes with federal litigation. Attorneys who primarily handle car accidents or slip-and-fall cases do not have the procedural background for complex MDL data breach litigation.
The firms currently active in MDL No. 3114 are large plaintiff-side class action practices with national reach. Most take these cases on a contingency fee basis, meaning no upfront cost to the claimant. Attorney fees in class action settlements are typically 25% to 33% of the total recovery, paid from the settlement fund, not from individual claimants' awards.
*Attorney Insight: Attorneys handling these claims recommend that potential claimants specifically ask prospective counsel whether the firm is active in MDL No. 3114 and whether it has participated in prior data breach MDL proceedings — experience with the Northern District of Texas federal court practice is a meaningful differentiator.*
What to Look for in a Data Breach Attorney:
- Active participation in MDL No. 3114 or comparable data breach MDLs
- Experience with Article III standing arguments post-*TransUnion*
- Familiarity with CCPA, BIPA, and TITEPA statutory claims
- Contingency fee representation (no upfront cost)
- Track record in Equifax, T-Mobile, Capital One, or similar settlements
- Clear explanation of what documentation the firm needs from the claimant
AT&T Lawsuit Data Breach: Corporate Liability and Regulatory Exposure
The AT&T lawsuit data breach litigation is not occurring in isolation. Parallel regulatory proceedings have added a layer of corporate liability that informs both the litigation posture and the pressure AT&T faces to settle.
The FCC investigated the 2024 call records breach and reached a $13 million consent decree with AT&T in January 2025. That proceeding found AT&T failed to adequately protect Customer Proprietary Network Information (CPNI) — the federally regulated category of call record data. The consent decree included remedial requirements for AT&T's data security practices.
The FTC has separately expressed interest in the telecommunications sector's data practices following a series of high-profile carrier breaches. While no FTC enforcement action against AT&T has been publicly announced, the regulatory climate adds pressure. Corporate counsel must weigh the risk of a second major regulatory sanction against the cost of class action settlement.
*Attorney Insight: Attorneys handling these claims treat the FCC's $13 million consent decree as a litigation asset — the agency's formal finding that AT&T violated CPNI rules provides plaintiffs with a compelling factual foundation for the negligence per se theory without requiring plaintiffs to re-prove the underlying breach.*
Regulatory Actions Against AT&T — Data Breach:
| Agency | Action | Outcome | Date |
|---|---|---|---|
| FCC | Investigation of 2024 call records breach | $13M consent decree | January 2025 |
| FTC | Reported inquiry into telecom data practices | No public action as of early 2026 | Ongoing |
| State AGs | Multiple state investigations reported | Various, ongoing | 2024-2026 |
| DOJ | No criminal referral reported | N/A | N/A |
AT&T Breach Lawsuit: What Comes Next for Claimants
The AT&T breach lawsuit is entering its most consequential phase. The class certification ruling, expected mid-to-late 2026, will determine whether this litigation resolves as a mass settlement or fragments into individual proceedings.
For claimants, the near-term priority is preparation, not waiting. Every week that passes without preserving documentation, running credit checks, or consulting counsel is a week closer to the edge of applicable limitations periods.
The litigation's structure means individual claimants do not need to be actively filing motions or appearing in court. But the claimants who emerge with the strongest recovery will be those who, right now, are documenting harm, preserving records, and connecting with attorneys who are actively working the MDL.
*Attorney Insight: Attorneys handling these claims note that in settlements of this scale, the difference between a $75 check and a $5,000 award comes down almost entirely to documentation — claimants who built a paper trail before settlement negotiations concluded consistently recover more.*
What Happens Next — Projected Timeline:
| Event | Projected Timing |
|---|---|
| Class certification ruling | Mid-to-late 2026 |
| Post-certification settlement negotiations intensify | Q3-Q4 2026 |
| Preliminary settlement agreement (if reached) | Late 2026 or early 2027 |
| Court approval, notice to class | 2027 |
| Claims submission portal opens | 2027 |
| Distribution to eligible claimants | 2027 to 2028 |
Litigation Watch: The convergence of the class certification ruling, parallel FCC enforcement precedent, and AT&T's reputational pressure creates the conditions for a major settlement announcement in the second half of 2026.
Frequently Asked Questions
What is the AT&T data breach lawsuit about?
The AT&T data breach lawsuit involves class action claims against AT&T for failing to protect the personal data of up to 110 million customers across two breach events.
The 2021 breach exposed Social Security numbers, addresses, and account credentials; the 2024 breach exposed call and text metadata.
Cases are consolidated in MDL No. 3114 before Judge Sam A. Lindsay in the Northern District of Texas.
How do I know if my data was included in the AT&T breach?
AT&T issued breach notification letters to customers confirmed to be in the compromised dataset.
If you received a letter, your data was confirmed as affected; if you did not, you can check by reviewing your credit reports for unfamiliar accounts opened after 2021.
You may also run a dark web scan through major credit bureaus to check whether your SSN appears in known breach datasets.
How much money can I get from the AT&T data breach lawsuit?
No settlement has been finalized, so individual payout amounts are not yet confirmed.
Based on comparable settlements like T-Mobile ($350 million fund) and Equifax ($425 million consumer fund), general claimants without documented harm typically receive $50 to $100, while those with documented losses may recover $1,000 to $5,000 or more.
California residents may be entitled to CCPA statutory damages of $100 to $750 per incident regardless of documented harm.
What is the deadline to file an AT&T data breach claim?
The claims submission deadline for a court-approved settlement has not been set because no settlement has been reached.
For purposes of preserving your legal rights, the federal negligence statute of limitations runs approximately two years from the date you discovered or should have discovered the breach — for the 2021 dataset, that is approximately March 2026.
Consulting an attorney before that date is advisable to confirm which state law deadlines may also apply.
Do I need a lawyer to file an AT&T data breach claim?
You do not need a lawyer to submit a basic claim through a settlement portal once one is established.
However, claimants with significant documented harm, including identity theft or substantial financial loss, benefit from legal counsel to evaluate whether opting out of a class settlement and pursuing individual litigation yields higher recovery.
Data breach class action attorneys handle these cases on contingency, meaning no upfront cost.
What court is handling the AT&T data breach class action lawsuit?
The AT&T data breach class action lawsuit is centralized in the U.S. District Court for the Northern District of Texas, Dallas Division, under MDL No. 3114.
The case is formally styled *In re: AT&T Inc. Customer Data Security Breach Litigation* and is assigned to Judge Sam A. Lindsay.
The Judicial Panel on Multidistrict Litigation (JPML) ordered the consolidation in late 2024, following the wave of individual class action filings that followed AT&T's public breach disclosures.
Closing
The AT&T data breach lawsuit is a live, evolving federal proceeding with tens of millions of potential claimants and no settled outcome yet. The class certification ruling expected in mid-to-late 2026 will define who is in, how much the settlement fund will need to be, and when distribution begins.
Claimants who act now — preserving records, pulling credit reports, documenting fraud activity since 2021 — will be better positioned than those who wait for the claims portal to open. The litigation is moving faster than most comparable MDLs.
If you believe your data was affected, the most concrete next step is a consultation with an attorney who is active in MDL No. 3114 or who has handled comparable data breach class actions. That conversation costs nothing under a contingency arrangement and can clarify whether your documented harm places you in a higher recovery tier before any settlement locks in the terms.
