AT&T customers across the United States are holding their breath as they await the final word on a massive $177 million data breach settlement, the result of a pair of significant cyberattacks that rocked the telecommunications giant in 2024. While the legal machinery grinds on, the case has drawn national attention to the broader issue of data privacy and security, with states like Connecticut ramping up enforcement and oversight in response to a rising tide of digital threats.
The saga began in March 2024, when AT&T discovered that sensitive information from 73 million current and former account holders—including Social Security numbers, addresses, and banking details—had found its way onto the dark web. Just a few months later, in July, hackers struck again, this time siphoning off customer phone numbers from a third-party cloud platform hosted by Snowflake Inc. The sheer scale and frequency of these breaches sent shockwaves through the industry, prompting a wave of lawsuits and a scramble for accountability.
By August 2025, AT&T had agreed to a staggering $177 million settlement, divided into two distinct pools: $149 million for the March breach and $28 million for the July incident. According to court documents reviewed by Houston Chronicle, each settlement fund is earmarked for the victims of its corresponding hack, reflecting the unique nature and impact of each event. The settlement itself, however, is anything but simple. Plaintiffs’ attorneys—led by W. Mark Lanier of the Lanier Law Firm for the March breach and Jeff Ostrow of Kopelowitz Ostrow Ferguson Weiselberg Gilbert for the July hack—are seeking a combined $59 million in fees, or roughly one-third of the total funds. This is in line with standard class action practices, where attorneys typically collect between 25% and 35% of settlement pools.
If Judge Ada Brown of the Northern District of Texas gives her blessing, the Lanier team would collect $49.67 million in fees and $564,792 in reimbursed litigation costs, while Ostrow’s group would receive $9.33 million and $231,438 in costs. The final approval hearing, which stretched for six hours on January 15, 2026, was a marathon of legal wrangling over the structure of the settlement, the opt-out policy for affected customers, and, of course, the attorneys’ fees themselves. As of now, the judge has yet to issue a final ruling, leaving millions of AT&T customers in limbo.
The settlement process has been anything but straightforward for consumers. According to the official settlement website, those affected by the March 2024 breach could receive up to $5,000 if they provided documentation of financial losses that were "fairly traceable" to the incident. Customers whose Social Security numbers were compromised were eligible for five times the payment compared to those whose private data was exposed but not their Social Security numbers. For the July 2024 hack, the maximum payout was $2,500, again contingent on proof that the data exposure led to actual harm. Customers unlucky enough to have been caught in both breaches could file two separate claims for a combined total of up to $7,500. However, as plaintiffs’ attorneys noted during the hearing, the actual payouts are likely to be much lower than these headline figures.
The scale of the settlement is breathtaking. Court records indicate that approximately 99.7 million settlement notices were sent out, and by December 30, 2025, around 4.38 million people had submitted claims. The deadline for claims was December 18, 2025, and now, with the judge’s decision pending, those who filed are left waiting for what could be months before they see any compensation. The Lanier Law Firm, for its part, declined to comment on the ongoing proceedings when reached by reporters.
While the AT&T case is among the largest and most complex data breach settlements in recent memory, it is by no means an isolated incident. On February 5, 2026, Connecticut Attorney General William Tong released a comprehensive report under the Connecticut Data Privacy Act (CTDPA), detailing the state’s efforts to safeguard consumer privacy and data security over the past year. The report paints a sobering picture: more than 1,830 data breach notifications were received by the Office of the Attorney General in 2025 alone, prompting 63 warning letters and a $105,000 settlement with Omni Healthcare over a 2024 ransomware attack.
Attorney General Tong’s report, as highlighted by WTNH News 8, goes beyond mere numbers. It outlines active investigations into a wide range of digital risks, from privacy notices and genetic data to messaging apps, gaming platforms, chatbots, and data brokers. Special attention is being paid to platforms and products that target children and teens, including social media sites, connected vehicles, and artificial intelligence tools whose design features may expose minors to privacy and security threats. Enforcement actions have been taken against companies for delayed or inadequate data breach notifications and for failing to disclose consumer rights in a transparent manner.
“Connecticut has one of the nation’s first and strongest data privacy laws, and the Office of the Attorney General is active and aggressive in protecting our rights to privacy, security and safety online,” Attorney General Tong said in a statement. “In 2025, we held companies accountable for delayed and inadequate data breach notices and hidden consumer rights. We launched active and ongoing investigations into multiple platforms that may have exploited and exposed our kids and their sensitive data to unacceptable privacy and security risks online. Privacy and data security are not optional and companies that do business in our state must take these requirements seriously.”
Looking ahead, Connecticut is planning a series of amendments to the CTDPA, set to take effect in July 2026, in a bid to bolster protections as the digital landscape continues to evolve. The state’s proactive stance stands in stark contrast to the reactive posture often seen at the federal level, where comprehensive data privacy legislation remains elusive.
For millions of Americans, the AT&T settlement and Connecticut’s enforcement push are two sides of the same coin: both are responses to a world where personal data is increasingly at risk, and where the consequences of a breach can be devastating. The legal battles, lengthy hearings, and complex claims processes may seem daunting, but they are a testament to the seriousness with which these issues are now being treated.
As Judge Brown weighs her decision in Texas and lawmakers in Connecticut prepare for the next phase of privacy reform, one thing is clear: the era of digital accountability has arrived, and companies can no longer afford to treat privacy and security as afterthoughts. For AT&T customers and Connecticut residents alike, the hope is that these hard-fought measures will translate into real protection—and a measure of peace of mind—in an increasingly connected world.
:sharpen(0.5,0.5,true)/tpg%2Fsources%2F0cadc3b0-8abc-4737-b9d6-76708b704d8a.jpeg)
:sharpen(0.5,0.5,true)/tpg%2Fsources%2F50e0c718-4bdc-4468-98e9-5d5543b7a1eb.jpeg)