ATT

AT&T is facing multiple class-action lawsuits following the company's admission to a massive data breach that exposed the sensitive data of 73 million current and former customers.

Among the ten lawsuits filed since Saturday, when AT&T confirmed our previous reporting about the breach, one is handled by Morgan & Morgan, representing plaintiff Patricia Dean and similarly situated persons. 

This law firm recently handled an Incognito privacy lawsuit against Google, pushing the tech giant into a settlement after four years of fighting in the courts.

The lawsuit alleges that AT&T failed to adequately protect customers' personal data, leading to a cyberattack and subsequent data breach that exposed sensitive information for 73 million people.

The exposed data includes AT&T customers' names, addresses, phone numbers, dates of birth, Social Security Numbers, and email addresses.

The class action lawsuit concerns a data breach first published in 2021 by threat actor Shiny Hunters, who claimed at the time to have hacked AT&T and attempted to sell the data. However, AT&T disputed those allegations, saying the leaked data samples didn't belong to them.

On March 17, 2024, another threat actor named 'MajorNelson' leaked the entire database on a hacking forum for free, clarifying that it was the same one from Shiny Hunters' attack.

Again, AT&T told BleepingComputer that the leaked data did not appear to originate from them and that there were no signs that its systems had been breached.

Following an internal investigation, the telecom giant eventually admitted on March 30, 2024, that the exposed data belongs to 7.6 million current AT&T account holders and approximately 65.4 million former account holders.

The company also said that the AT&T passcodes for 7.6 million customers were exposed in the leak. 

When configured, these passcodes are required to receive customer support or perform sensitive account changes. However, exposing this data to threat actors could have allowed attackers to gain access to accounts more easily.

AT&T also said they believe the leaked data is from 2019 and earlier but could not determine whether it came from its systems or a partner.

The firm's initial and subsequent denials about the origin and authenticity of the leaked data and its failure to determine the origin through timely investigations have exposed customers to a heightened risk of scams and phishing attacks for nearly three years, if not longer.

Dean's complaint asserts that AT&T's inadequate security measures and failure to provide timely, adequate notice about the data breach exposed customers to substantial risks, including identity theft and various forms of fraud.

The lawsuit accuses AT&T of negligence, breach of implied contract, and unjust enrichment. It seeks compensatory damages, restitution, injunctive relief, improvements to AT&T's data security protocols, future audits, credit monitoring services funded by the company, and a trial by jury.

A Morgan & Morgan spokesperson sent BleepingComputer the following comment regarding the litigation:

As the largest telecommunications company in the country, AT&T has a crucial duty to safeguard their current and former customers’ sensitive information.

We allege AT&T knew about the vulnerability that allegedly led to this breach, but allowed it to occur by failing to act.

We’re also alleging AT&T exacerbated the problem by failing to acknowledge the breach had occurred until March 30 of this year, allowing customers’ personal data to linger in criminal hands without their knowledge for more than two-and-a-half years.

We will fight to hold AT&T accountable for their alleged actions and inactions that allowed this to happen, and secure justice for all 73 million Americans impacted by this attack on their privacy. - Morgan & Morgan spokesperson

BleepingComputer has contacted AT&T for a statement on the above, but we are still awaiting a response.

Similar class-action lawsuits submitted against AT&T in the last few days include those of plaintiffs WilliamsonEscanoCollier, and Cumo. However, these will likely be consolidated in the future.

Related Articles:

Infosys McCamish says LockBit stole data of 6 million people

Dairy giant Agropur says data breach exposed customer info

PandaBuy pays ransom to hacker only to get extorted again

Northern Ireland police faces £750k fine after exposing staff info

SEC: Financial orgs have 30 days to send data breach notifications