AT&T suffered two massive data breaches in **2019** and **2024**, compromising nearly **200 million people** combined. The **2019 breach** exposed **Social Security numbers, birth dates, and legal names** of **7.6 million current** and **65.4 million former customers**, discovered only in **2024** when data surfaced on the dark web. The **2024 breach** involved hackers (linked to **ShinyHunters**) accessing **phone records of ~109 million customers** from AT&T’s **Snowflake cloud warehouse**, containing call and text metadata. Both breaches led to a **$177 million class-action settlement**, with payouts up to **$5,000 (2019 victims with documented losses)** and **$2,500 (2024 victims with proof)**. The breaches triggered **password resets for all affected users**, legal action against two arrested hackers, and consolidated lawsuits. The **2019 incident** received **$149 million** in settlements, while the **2024 Snowflake breach** got **$28 million**.
TPRM report: https://www.rankiteo.com/company/att
"id": "att3362133100925",
"linkid": "att",
"type": "Breach",
"date": "6/2019",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'customers_affected': '~200 million (73M in 2019, 109M '
'in 2024; overlap possible)',
'industry': 'Telecom',
'location': 'United States',
'name': 'AT&T',
'size': 'Large (Fortune 500)',
'type': 'Telecommunications'},
{'customers_affected': "AT&T's 109M US customers "
'(indirectly)',
'industry': 'Technology',
'location': 'United States',
'name': 'Snowflake (2024 breach only)',
'size': 'Large',
'type': 'Cloud Data Warehouse Provider'}],
'attack_vector': [{'breach_2019': 'Unknown (data found on dark web)',
'breach_2024': 'Unauthorized access to Snowflake cloud '
'data warehouse (credential-based attack by '
'ShinyHunters)'}],
'customer_advisories': ['File claims by Nov. 18, 2025 via '
'telecomdatasettlement.com or mail.',
'Documented losses may increase payout (up to $5K for '
'2019, $2.5K for 2024).',
'Check spam folders for Class Member ID '
'notifications.',
'Call 833-890-4930 for assistance.'],
'data_breach': {'data_exfiltration': [{'breach_2019': 'Yes (data found on '
'dark web)',
'breach_2024': 'Yes (accessed via '
'Snowflake)'}],
'file_types_exposed': [{'breach_2019': 'Database records '
'(structured)',
'breach_2024': 'Call detail records '
'(CDRs), logs'}],
'number_of_records_exposed': [{'breach_2019': '73,000,000',
'breach_2024': '109,000,000'}],
'personally_identifiable_information': [{'breach_2019': 'Yes '
'(SSNs, '
'names, '
'birth '
'dates)',
'breach_2024': 'Indirect '
'(phone '
'numbers, '
'call '
'metadata)'}],
'sensitivity_of_data': [{'breach_2019': 'High (SSNs, full '
'names, birth dates)',
'breach_2024': 'Moderate (phone '
'records, no '
'financial data)'}],
'type_of_data_compromised': [{'breach_2019': 'PII (Social '
'Security '
'numbers, birth '
'dates, legal '
'names)',
'breach_2024': 'Phone records '
'(call logs, '
'metadata from '
'2022)'}]},
'date_detected': [{'breach_2019': '2024-03-01 (disclosed)',
'breach_2024': '2024-04-01 (detected), 2024-07-01 '
'(disclosed)'}],
'date_publicly_disclosed': [{'breach_2019': '2024-03-01',
'breach_2024': '2024-07-01'}],
'description': 'AT&T was responsible for two of the largest data breaches in '
'history, affecting nearly 200 million people. The breaches '
'occurred in 2019 (involving personal data like Social '
'Security numbers) and 2024 (involving phone records accessed '
'via Snowflake). A $177 million class action settlement was '
'approved in 2025, with payouts for affected individuals.',
'impact': {'brand_reputation_impact': 'Significant (one of the largest '
'breaches in history; public distrust)',
'customer_complaints': 'Multiple lawsuits consolidated into class '
'action',
'data_compromised': [{'breach_2019': '73 million records (7.6M '
'current + 65.4M former '
'customers)',
'breach_2024': '109 million records (phone '
'records from 2022)'}],
'financial_loss': '$177 million (settlement payout: $149M for 2019 '
'breach, $28M for 2024 breach)',
'identity_theft_risk': [{'breach_2019': 'High (SSNs, birth dates, '
'legal names exposed)',
'breach_2024': 'Moderate (phone records, '
'call logs)'}],
'legal_liabilities': '$177 million settlement + potential '
'regulatory fines',
'operational_impact': ['Password resets for 7.6M current customers '
'(2019)',
'Legal and settlement administration '
'overhead'],
'systems_affected': [{'breach_2019': 'AT&T customer databases',
'breach_2024': 'Snowflake cloud data '
'warehouse'}]},
'initial_access_broker': {'data_sold_on_dark_web': [{'breach_2019': 'Yes',
'breach_2024': 'Likely '
"(ShinyHunters' "
'modus '
'operandi)'}],
'entry_point': [{'breach_2019': 'Unknown (dark web '
'leak)',
'breach_2024': 'Compromised '
'Snowflake '
'credentials '
'(likely via '
'ShinyHunters)'}],
'high_value_targets': [{'breach_2019': 'Customer '
'PII (SSNs, '
'names)',
'breach_2024': 'Historical '
'phone '
'records '
'(2022 '
'data)'}]},
'investigation_status': 'Closed (settlement approved; two arrests for 2024 '
'breach)',
'lessons_learned': ['Delayed disclosure (2019 breach revealed 5 years later) '
'erodes trust.',
'Third-party risks (Snowflake) require stricter access '
'controls and monitoring.',
'Proactive password resets can mitigate post-breach '
'risks.',
'Class action settlements are costly but necessary for '
'large-scale breaches.'],
'motivation': [{'breach_2019': 'Likely financial (data sold on dark web)',
'breach_2024': 'Financial (data exfiltration for sale or '
'ransom)'}],
'post_incident_analysis': {'corrective_actions': ['Settlement fund for '
'victims.',
'Assumed: Strengthened '
'third-party access '
'controls (e.g., MFA for '
'Snowflake).',
'Proactive password resets '
'for affected users (2019).',
'Legal accountability '
'(arrests for 2024 '
'breach).'],
'root_causes': [{'breach_2019': 'Unknown (poor '
'data protection '
'or insider '
'threat)',
'breach_2024': 'Weak credential '
'management for '
'Snowflake access; '
'lack of '
'multi-factor '
'authentication '
'(MFA) or IP '
'restrictions'}]},
'ransomware': {'data_exfiltration': [{'breach_2019': 'Yes (dark web sale)',
'breach_2024': 'Yes (accessed via '
'Snowflake)'}]},
'recommendations': ['Implement zero-trust architecture for third-party cloud '
'providers.',
'Enhance dark web monitoring for leaked credentials/data.',
'Accelerate breach disclosure timelines to comply with '
'regulations and maintain transparency.',
'Conduct regular audits of third-party vendor security '
'practices.',
'Offer credit monitoring for victims of PII exposure.'],
'references': [{'source': 'CNET',
'url': 'https://www.cnet.com/tech/mobile/att-data-breach-settlement-how-to-file-a-claim-and-how-much-you-could-get/'},
{'source': 'US District Court (Northern District of Texas)'},
{'source': 'Kroll Settlement Administration',
'url': 'https://telecomdatasettlement.com'}],
'regulatory_compliance': {'legal_actions': ['Class action lawsuits '
'consolidated (settled for $177M)',
'Two arrests for 2024 breach']},
'response': {'communication_strategy': ['Public disclosures (2024-03 and '
'2024-07)',
'Dedicated settlement website',
'Customer notifications with Class '
'Member IDs'],
'containment_measures': [{'breach_2019': 'Password resets for '
'affected current '
'customers',
'breach_2024': 'Snowflake access '
'revoked; investigation '
'into credential '
'compromise'}],
'enhanced_monitoring': 'Likely (not explicitly stated)',
'incident_response_plan_activated': 'Yes (password resets for '
'2019 breach; legal '
'coordination for both)',
'law_enforcement_notified': 'Yes (two arrests made for 2024 '
'breach)',
'recovery_measures': ['Class action settlement website '
'(telecomdatasettlement.com)',
'Customer notifications via email'],
'remediation_measures': ['$177M settlement fund',
'Enhanced monitoring (assumed)'],
'third_party_assistance': ['Kroll Settlement Administration '
'(claims management)',
'Law firms (class action '
'settlement)']},
'stakeholder_advisories': ['Customers notified via email with Class Member '
'IDs.',
'Public settlement website with claim forms.',
'Media announcements (CNET, other tech outlets)'],
'threat_actor': [{'breach_2019': 'Unknown',
'breach_2024': 'ShinyHunters (hacker group; two arrests '
'made)'}],
'title': 'AT&T Data Breaches (2019 & 2024)',
'type': ['Data Breach (2019)',
'Data Breach via Third-Party (Snowflake, 2024)'],
'vulnerability_exploited': [{'breach_2024': 'Misconfigured or compromised '
'Snowflake credentials (likely '
'poor access controls or '
'credential stuffing)'}]}