Dallas-based AT&T faces a class action lawsuit over 2022 data breaches that put millions’ data at risk

Dallas-based telecommunications company AT&T is facing a class action lawsuit over a security breach that compromised several months’ worth of data belonging to nearly all of its customers in 2022.

Dina Winger, an AT&T customer for more than 15 years, filed the lawsuit in federal court in North Texas on Friday, the same day AT&T announced it learned in April that customer data was being illegally downloaded to a third-party cloud platform.

The lawsuit alleges that AT&T failed to protect the personal information it collected and exploited, leaving customers like Winger exposed to extortion, identity theft, fraud and other risks.

“If AT&T had implemented the necessary, industry-standard security measures and exercised reasonable care, data thieves would not have been able to steal the personal information of Plaintiff and the class members,” the lawsuit states.

An AT&T spokesperson referred KERA News to the company’s July 12 press release when asked for comment on the negligence allegations.

The company has taken steps to “close the illegal access point” and is working with law enforcement to arrest those involved, the press release said. At least one person has been arrested, the press release said.

AT&T says its investigation showed that the compromised data included phone call and text message records from May 1, 2022, to October 31, 2022, as well as some records from January 2, 2023, for a “very small” number of customers.

This includes records of other phone numbers with which an AT&T mobile number has interacted, including landline numbers. Some records include mobile identification numbers associated with the interactions.

“This is exactly what many of us have feared for years: that private call and text data would fall into the hands of hackers,” said Patrick Yarborough, one of the lawyers in the case.

The compromised data does not include the content or timestamps of calls or text messages, nor does it include Social Security numbers, birth dates or other personally identifiable information, AT&T said, noting that there are other ways to find names associated with a phone number online. The company believes none of the data is publicly available.

This is unrelated to a security breach in March that affected approximately 73 million current and former AT&T account holders. The stolen data may have included customers’ names, addresses, social security numbers, passwords, email addresses, phone numbers, birth dates and AT&T account numbers.

According to the Texas Attorney General’s data breach reporting website, 7.6 million Texans were affected by the March data breach.

The lawsuit accuses AT&T of failing to be transparent about the nature and extent of recent security breaches. Yarborough said the public can take steps to protect their sensitive data, such as through credit monitoring.

“You have a right to have your private telephone conversations and who you call and who calls you remain confidential unless you choose to share that information,” he said.

Do you have a tip? Email Toluwani Osibamowo at [email protected]. You can follow Toluwani on X @tosibamowo.

KERA News is made possible by the generosity of our members. If you find this coverage valuable, please consider Make a tax-deductible donation today. Thank you very much.