Dive Brief:

• A federal district court judge has given preliminary approval to a proposed $177 million settlement between AT&T and plaintiffs who sued the company last year over a pair of massive data security breaches impacting millions of customers.
• The breaches resulted in a number of lawsuits that were eventually combined into a single class action complaint before Judge Ada Brown of the U.S. District Court for the Northern District of Texas. The judge has scheduled a Dec. 3 hearing to consider the settlement for final approval, according to a Friday order.
• “While we deny the allegations in these lawsuits that we were responsible for these criminal acts, we have agreed to this settlement to avoid the expense and uncertainty of protracted litigation,” an AT&T spokesperson said in an email.

Dive Insight:

The consolidated class action highlights a growing concern for business leaders: the steady escalation of cybersecurity threats and data breach costs.

The FBI’s Internet Crime Complaint Center received 859,532 complaints of suspected internet crime in 2024, with reported losses exceeding $16 billion, a 33% increase over the prior year, according to a report released in April.

“Cybersecurity is not just an IT problem or a crisis scenario from a playbook, but a persistent and growing business concern with real financial implications, including the potential costs of incident response, legal liabilities, reputational damage, and loss of revenue from lack of consumer trust,” Ernst & Young cybersecurity consultants Tunde Lawson and Jaime Kipnes wrote in an April article on the topic.

Mitigating cyber risks and incorporating them into the organization’s long-term financial strategy is a mission shared by multiple people in the C-suite, including the CFO, who is “uniquely positioned to quantify these risks and estimate the cost of an incident,” the authors said.

Working in concert with the chief information security officer, the CFO can “better understand the probability and exposure to risk, set metrics on spending and ROI, and communicate recommendations for prioritizing cybersecurity spending,” they wrote.

AT&T is among companies that reported some of the largest cyberattacks last year, according to a tally by the Cyber Management Alliance, a U.K.-based consulting firm.

The AT&T proposed settlement includes $149 million to resolve a set of class action claims related to a breach the company disclosed in March 2024. The remaining $28 million is for class members impacted by a separate AT&T data breach disclosed in July 2024.

“Plaintiffs and Class Members were foreseeable victims of AT&T’s inadequate data security practices, and it was also foreseeable that AT&T’s failure to provide timely and adequate notice of the Data Breaches would result in injury to Plaintiffs and Class Members as described in this Complaint,” according to a consolidated class action complaint filed last month.

In its public notice on the first breach, the telecommunications giant said it determined that “data-specific fields” from the company were contained in a data set released on the “dark web.” As many as 73 million current and former customers were impacted by the incident, the notice said.

The compromised data varied by customer and account, but may have included full names, email addresses, mailing addresses, phone numbers, social security numbers, dates of birth, and AT&T account numbers and passcodes, according to a set of frequently asked questions published by the company at the time.

The incident triggered a flurry of class action lawsuits. In June 2024, the Judicial Panel on Multidistrict Litigation issued an order that consolidated the cases in the U.S. District Court for the Northern District of Texas.

The company then faced a new wave of lawsuits after it disclosed the second data breach. That incident compromised six months’ worth of call and text message records of “nearly every” AT&T cellular network customer in 2022, according to a securities filing.