Class-action lawsuit accuses AT&T of negligence, ‘unjust enrichment’

DALLAS – The Dallas Morning News says that AT&T now faces a legal fight after the phone numbers of over 100 million U.S. customers who used the company’s wireless services between March and October 2022 were stolen in the company’s second major data breach of 2024. The case (3:24-cv-1797) is a class-action lawsuit against the Dallas-based telecommunications giant, filed in the U.S. District Court for the Northern District of Texas late Friday by 15-year AT&T customer and named plaintiff Dina Winger. The suit alleges AT&T wasn’t transparent about the severity of the breach, didn’t safeguard important data from malicious parties and earned “unjust enrichment” from customers after failing to protect their information. “As a direct and proximate result of AT&T’s failure to exercise adequate and reasonable care and use commercially adequate and reasonable security measures, the [personally identifiable information] of Plaintiff and Class Members was accessed by ill-intentioned individuals who could and will use the information to commit identity or financial fraud,” the lawsuit reads. “Plaintiff and Class Members face the imminent, certainly impending, and substantially heightened risk of identity theft, fraud, and further misuse of their personal data.”

Patrick Yarborough, a Houston-based lawyer representing Winger who helped file the case, confirmed Monday that this was the first lawsuit filed against AT&T in Dallas for the breach. Should more plaintiffs sue the company, their cases could be lumped into Winger’s class-action lawsuit. Yarborough said he wouldn’t be surprised if dozens more plaintiffs and law firms get involved in the future due to the scope of the data breach. AT&T revealed in a Securities and Exchange Commission filing on Friday that the cause of the breach was a “threat actor” who illegally accessed company workspaces on a third-party cloud platform in April. The actor gradually siphoned nearly six months of call logs dating from May 1 to Oct. 31, 2022, as well as Jan. 2, 2023, compromising the phone numbers of nearly all AT&T customers. AT&T said the breached channel is now closed and the stolen information isn’t publicly available nor personally identifiable (through information like Social Security numbers, names or ages), but phone numbers can still be traced to individuals with easy-to-access online tools like Whitepages. Wired reported Sunday that AT&T paid over $300,000 in Bitcoin to one of the hackers in May to delete the stolen data, which it confirmed with video evidence. The hacker obtained the data by breaking into one of AT&T’s cloud storage accounts hosted by software company Snowflake, Wired reported. Snowflake also serves companies like Ticketmaster, Advance Auto Parts and international banking firm Santander. All of those companies, plus roughly 150 others, were subject to breaches in April and May.