edition.cnn.com | CNN Business - Millions of AT&T customers can file claims worth up to $7,500 in cash payments as part of a $177 million settlement related to data breaches in 2024.
The telecommunications company had faced a pair of data breaches, announced in March and July 2024, that were met with lawsuits.
Here’s a breakdown.
What happened?
On March 30, 2024, AT&T announced it was investigating a data leak that had occurred roughly two weeks prior. The breach had affected data until 2019, including Social Security numbers, and the information of 73 million former and current customers was found in a dataset on the dark web.
Four months later, the company blamed an “illegal download” on a third-party cloud platform that it learned about in April for a separate breach. This leak included telephone numbers of “nearly all” of AT&T cellular customers and customers of providers that used the AT&T network between May 1 and October 31, 2022, the company said.
The class-action settlement includes a $149 million cash fund for the first breach and a $28 million payout for the second breach.
Am I eligible for a claim?
AT&T customers whose data was involved in either breach, or both, will be eligible. Customers eligible to file a claim will receive an email notice, according to the settlement website.
AT&T said Kroll Settlement Administration is notifying current and former customers.
How do I file a claim?
The deadline to submit a claim is November 18. The final approval hearing for the settlement is December 3, according to the settlement website, and there could be appeals following an approval “and resolving them can take time.”
“Settlement Class Member Benefits will begin after the Settlement has obtained Court approval and the time for all appeals has expired,” the website states.
How much can I claim?
Customers impacted by the March incident are eligible for a cash payment of up to $5,000. Claims must include documentation of losses that happened in 2019 or later, and that are “fairly traceable” to the AT&T breach.
Categories: U.S. Federal Law, Cybersecurity, Enforcement
In a surprising development in the US Securities and Exchange Commission’s (“SEC’s”) ongoing securities fraud case against SolarWinds Corp. (“SolarWinds”) and its former chief information security officer (“CISO”), Timothy Brown, all three parties have petitioned the judge for a stay pending final settlement. Until the SEC’s four commissioners can vote to approve the settlement, the parties have requested the stay until at least September 12, 2025.
As we previously reported, in October 2023, the SEC sued software developer SolarWinds and its former CISO, alleging that SolarWinds misled investors about a series of heavily publicized cyberattacks that targeted the company, culminating in the December 2020 Sunburst malware attack. In addition to alleging securities fraud and violations of SEC reporting provisions, the SEC also alleged that SolarWinds violated Sarbanes-Oxley internal control provisions.
In July 2024, U.S. District Judge Paul A. Engelmayer granted SolarWinds’ and the company’s former CISO’s motions to dismiss on most claims. A single set of fraud claims survived concerning alleged misstatements and omissions in a “Security Statement” that was published on SolarWinds’ website. The Security Statement described the company’s various cybersecurity practices, which the SEC alleges painted an incomplete and misleading picture. As recently as June 2025, the SEC indicated it was ready to try the case and filed a motion in opposition to the defendants’ motion to dismiss the remaining claim.
On July 2, 2025, all three parties—the SEC, SolarWinds and the company’s former CISO—sent a joint letter to the judge indicating they had reached an agreement in principle to settle the case. Any settlement is subject to approval of the four SEC commissioners. As noted above, the parties’ joint letter requested a stay until at least September 12, 2025 to give the SEC commissioners time to review the matter. Two of the sitting commissioners have been critical of the SEC’s case.
It is difficult to speculate what the final terms of settlement may be. Unrelated to this case, with the change in presidential administration, the SEC has dismissed numerous enforcement cases targeting the cryptocurrency industry on the grounds that the cases were imprudently brought. It is possible this philosophy has now been extended to the SolarWinds case, and the SEC may seek to drop the case entirely. It also is possible that this movement by the SEC staff is more in line with other settled cases, and could simply entail reduced charges and remedies acceptable to all parties. The fact that the SEC enforcement staff still needs approval by the SEC commissioners may imply that this latter scenario is more likely. Like any plaintiff, the SEC does from time to time settle enforcement cases after they have entered litigation for any number of reasons.
Affected users can try to claim up to $10,000 if the breach at 23andMe led to financial fraud or paying up for security or mental health services.
Attorneys general found that Google violated state consumer protection laws by misleading consumers about its location-data practices, tracking consumers even when their location history setting was turned off.
