Overview
On April 2, 2024, Cohen Milstein and co-counsel filed a putative class action against AT&T Mobility on behalf of potentially 70 million current and former AT&T customers, whose names, addresses, phone numbers, Social Security numbers, PINs, and dates of birth were the subject of a massive data breach. Upon learning of the breach in August 2021 when hackers auctioned the database of 70 million customers’ personally identifiable information (PII) in an online hacking forum, AT&T denied the breach ever occurred and refused to investigate further.
Only three years later when the contents of the database were publicly leaked on the dark web and independently verified did AT&T admit the breach occurred and began an investigation.
The lawsuit alleges AT&T was negligent in its handling of customer’s sensitive personal information, which it requires from all customers and uses for commercial benefit, by failing to adequately monitor its security measures and act in a timely manner when it discovered the breach. It also alleges AT&T breached its contract with customers based on its assertions in the company privacy notice that it would adequately safeguard users’ sensitive personal data and inform them of a data breach. The privacy notice also stated AT&T would destroy former customers’ data once they were no longer needed, yet 65.4 million customers whose data was leaked were former customers.
Case Background
As stated in the complaint, nearly three years ago, in 2021, AT&T – the country’s largest wireless carrier learned that a well-known threat actor claimed to be selling a database containing the personal information of over 70 million AT&T customers. This information included customers’ names, addresses, phone numbers, Social Security numbers, and dates of birth. But instead of investigating the source and cause of the massive breach, AT&T denied the allegations, ignored the issue, and continued with operations. AT&T told one media outlet that “the information that appeared in an internet chat room does not appear to have come from our systems.” And when questioned about its vendors, AT&T chose not to speculate: “Given this information did not come from us, we can’t speculate on where it came from or whether it is valid.” AT&T attempted to fully wash its hands of the disaster.
The complaint further claims that almost three years later, the same customer data from 2021 is no longer just for sale; it has been fully exposed on the Dark Web. And after years of denial, AT&T has changed its tune. AT&T finally admitted that approximately 73 million former and current AT&T customers’ personal and sensitive information was released onto the Dark Web (the “Data Breach”). According to AT&T, customers’ impacted information included a combination of their “full name, email address, mailing address, phone number, social security number, date of birth, and AT&T account number and passcode” (collectively, “PII”), which AT&T collected as a condition for use of its services. This recent revelation marks a concerning turn of events.
The complaint further claims that in the nearly three years that has transpired, AT&T has not conducted a robust investigation into the data leak to determine who was responsible, where the data originated from, which customers were impacted, how the Data Breach occurred, and other key factors. Had it done so, the complaint speculates, the affected 73 million customers could have attempted to adequately protect themselves.
The complaint claims that this Data Breach and resulting injuries occurred because AT&T failed to implement reasonable security procedures and practices (including failing to exercise appropriate managerial control over third-party partner’s data security), failed to disclose material facts surround its deficient data security protocols, and failed to timely notify the victims of the Data Breach.
As a result of AT&T’s failure to protect the PII it was entrusted to safeguard, Plaintiffs and class members now face a significant risk of identity theft and fraud, financial fraud, and other identity-related fraud now and into the indefinite future.