New class action lawsuit accuses AT&T of negligence and “unjust enrichment” after data theft

AT&T now faces a legal battle after the second major data breach of 2024 stole the phone numbers of more than 100 million U.S. customers who used the company’s wireless services between March and October 2022.

The case (3:24-cv-1797) is a class action lawsuit against the Dallas-based telecommunications giant filed late Friday night in the U.S. District Court for the Northern District of Texas by a 15-year AT&T customer, named plaintiff Dina Winger. The suit alleges that AT&T failed to be transparent about the severity of the breach, failed to protect important data from malicious parties and “unjustly enriched itself” by failing to protect customers’ information.

“As a direct and immediate result of AT&T’s failure to exercise reasonable and appropriate care and to implement commercially reasonable and appropriate security measures, Plaintiff’s and Class Members’ (personally identifiable information) was accessed by malicious individuals who could and will use the information to commit identity or financial fraud,” the lawsuit states. “Plaintiff and Class Members face an imminent, certainly imminent, and substantially increased risk of identity theft, fraud, and further misuse of their personal information.”

AT&T declined to comment on the lawsuit.

Patrick Yarborough, a Houston-based attorney who represents Winger and helped file the lawsuit, confirmed Monday that this is the first lawsuit filed against AT&T in Dallas over the data breach. If additional plaintiffs sue AT&T, their cases could be included in Winger’s class action lawsuit. Yarborough said he would not be surprised if “dozens” of additional plaintiffs and law firms join in the future because of the magnitude of the data breach.

AT&T disclosed in a document filed with the U.S. Securities and Exchange Commission on Friday that the source of the data breach was a “threat actor” who illegally gained access to corporate workspaces on a third-party cloud platform in April of this year. That actor gradually stole nearly six months of call logs, spanning May 1 to October 31, 2022, and January 2, 2023, compromising the phone numbers of “almost all” AT&T customers.

AT&T said the hacked channel is now closed and the stolen information is neither publicly available nor personally identifiable (such as social security numbers, names or ages). However, phone numbers can still be traced back to individuals using easily accessible online tools such as Whitepages.

Wired reported Sunday that AT&T paid one of the hackers more than $300,000 in Bitcoin in May to delete the stolen data, which was confirmed by video evidence. The hacker obtained the data by breaking into one of AT&T’s cloud storage accounts hosted by software company Snowflake. Wired reported that its customers also include companies such as Ticketmaster, Advance Auto Parts and the international banking company Santander. All of these companies and around 150 others were victims of security breaches between April and May.

“Like most companies that work with large amounts of data, we often use specialized and trusted cloud service platforms for various functions,” an AT&T spokesperson wrote in an email. “These platforms allow companies to work with large amounts of data in a centralized location. In this case, we had placed a copy of the data on the third-party platform to perform analytics related to our business.”

Even if the primary data set has been deleted, it remains unclear how much of AT&T customers’ data remains in unknown hands. This has forced customers to protect themselves from identity fraud by freezing credit or closing bank accounts, among other time-consuming and costly measures, the lawsuit says. The lawsuit claims this places an unfair burden on consumers who were guaranteed data security by AT&T and warrants compensation.

“Only AT&T was and is able to protect plaintiff and class members from the harm caused to them by the data breach,” the lawsuit states.

Class action lawsuits are the most popular and effective type of lawsuit when it comes to companies the size of AT&T or issues as wide-ranging as a data breach, says Carliss Chatman, an associate professor of law at Southern Methodist University. Because suing on behalf of a group of people rather than on an individual basis keeps costs low for plaintiffs and defendants and reduces delays in court.

In this lawsuit, the proposed “class members” include “all persons whose (personal identification information) was accessed and/or acquired as part of the data incident,” meaning that anyone who fits that definition is entitled to damages unless they object. Forming a class in cases like this, where the harm – stolen data – is clear, is much easier than in cases with many individual personal injuries, Chatman said.

“You want it to be easy for a court to put together a comparison matrix. That’s your ultimate goal.” The lawsuit defines its class as “all individuals whose (personally identifiable information) was accessed and/or acquired as part of the data incident.”

Class definitions are one of the most sensitive aspects of class action lawsuits and often one of the first things to be contested, Yarborough said. Combined with lengthy meetings with courts, co-plaintiffs, friendly law firms and, in this case, representatives from AT&T, this case could drag on for several years.

For most class action lawsuits, a trial is far less likely than a settlement, Chatman said. It’s possible AT&T will settle quickly if the class action is certified to avoid a lawsuit from shareholders or intervention by federal regulators. AT&T said in its SEC filing that it does not expect the breach to “materially affect” its financial position.

Chatman said lawyers advance the costs of “high-risk, high-reward” class action lawsuits so that their payout in a settlement is substantial — often more than a third of the total. If a settlement is reached with AT&T and the class action is large enough, clients and lawyers could reap a hefty profit.

However, she said the solution to the allegations in the lawsuit doesn’t have to be just money. “If we said this is going to cost everyone $100 per person, or if they said something like, ‘We want AT&T to pay for privacy monitoring or to have all credit reports frozen or for people to get a service that monitors their credit, their privacy, etc., in addition to money,’ then the courts can do that too.”

Whatever the solution, given the magnitude of the breach, a quick, inexpensive and easy fix is ​​unlikely.

“I think this is a pretty unique case, and so it’s pretty hard to say how much (AT&T) should be held accountable for,” Yarborough said. “When you’re talking about 100 million people, it’s hard to even talk about what a settlement or a verdict would look like. But let me tell you, it’s billions. No question about it.”