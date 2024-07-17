By Andrew Long The Dallas Morning News

AT&T now faces a legal fight after more than 100 million U.S. customers who used the company’s wireless services between March and October 2022 had their phone numbers stolen in the company’s second major data breach of 2024.

The case (3:24-cv-1797) is a class-action lawsuit against the Dallas-based telecommunications giant, filed in the U.S. District Court for the Northern District of Texas late Friday night by 15-year AT&T customer and named plaintiff Dina Winger. The suit alleges that AT&T was not transparent with the severity of the breach, did not safeguard important data from malicious parties and earned “unjust enrichment” from customers after failing to protect their information.

“As a direct and proximate result of AT&T’s failure to exercise adequate and reasonable care and use commercially adequate and reasonable security measures, the [personally identifiable information] of Plaintiff and Class Members was accessed by ill-intentioned individuals who could and will use the information to commit identity or financial fraud,” the lawsuit reads. “Plaintiff and Class Members face the imminent, certainly impending, and substantially heightened risk of identity theft, fraud, and further misuse of their personal data.”

AT&T declined to comment on the lawsuit.

Patrick Yarborough, a Houston-based lawyer representing Winger who helped file the case, confirmed Monday that this was the first lawsuit filed against AT&T in Dallas for the breach. Should more plaintiffs sue AT&T, their cases could be lumped into Winger’s class-action lawsuit. Yarborough said he wouldn’t be surprised if “dozens” more plaintiffs and law firms get involved in the future due to the scope of the data breach.

AT&T revealed in a Securities and Exchange Commission filing on Friday that the cause of the breach was a “threat actor” who illegally accessed company workspaces on a third-party cloud platform in April of this year. This actor gradually siphoned nearly six months of call logs dating from May 1 to October 31, 2022 as well as Jan. 2, 2023, compromising the phone numbers of “nearly all” AT&T customers.

AT&T said that the breached channel is now closed and the stolen information is not publicly available nor personally identifiable (like social security numbers, names or ages), but phone numbers can still be traced to individuals with easy-to-access online tools like Whitepages.

Wired reported Sunday that AT&T paid more than $300,000 in Bitcoin to one of the hackers in May to delete the stolen data, which it confirmed with video evidence. The hacker obtained the data by breaking into one of AT&T’s cloud storage accounts hosted by software company Snowflake, Wired reported, which also serves companies like Ticketmaster, Advance Auto Parts and international banking firm Santander. All of those companies, plus roughly 150 others, were subject to breaches between April and May.

“Like most companies that deal with large amounts of data, we often use specialized and trusted cloud services platforms for various functions,” an AT&T spokesperson wrote in an email. “These platforms enable companies to work with large amounts of data in a centralized place. In this case, we had put a copy of the data on the third-party platform for analysis related to our business.”

Even if the primary dataset has been deleted, it remains unclear how many AT&T customers’ data is still vulnerable in unknown hands. This has forced customers to protect themselves from identity fraud by freezing credit or closing financial accounts, among other time- and money-intensive measures, the lawsuit said. The lawsuit claims that this is an unjust burden on consumers who were guaranteed data security by AT&T, and warrants compensation.

“AT&T alone was, and is, in a position to protect against the harm suffered by Plaintiff and Class Members as a result of the Data Breach,” the lawsuit says.

Class-action lawsuits are the most popular and effective type of case when dealing with companies of AT&T’s size or issues as wide-spanning as a data breach, said Carliss Chatman, an associate professor of law at Southern Methodist University. This is because suing on behalf of a class of people rather than a case-by-case basis keeps costs down for both plaintiff and defendant and reduces logjam in the courts.

In this lawsuit, the proposed “class members” include “all persons whose [personal identifying information] was accessed and/or acquired in the data incident,” meaning any person who fits that definition is entitled to damages unless they opt out. Establishing a class in cases like this where the harm — stolen data — is clear is much easier than doing so in cases with lots of unique personal injuries, Chatman said.

“You want it to be easy for a court to put a settlement matrix together. That’s your ultimate goal,” The lawsuit defines its class as “all persons whose [personally identifiable information] was accessed and/or acquired in the data incident.”

Class definitions are one of the most finicky parts of class-action lawsuits and often one of the first things that gets contested, Yarborough said. Combined with lengthy meetings with courts, fellow plaintiffs, fellow law firms and, in this instance, AT&T representatives, this case could be stretched out multiple years.

A trial is far less likely than a settlement for most class-action lawsuits, Chatman said. It’s possible AT&T would settle quickly if the class is certified to avoid a lawsuit from shareholders or intrusions by Federal regulatory agencies. AT&T said in its SEC filing that it does not expect the breach to “materially impact” its financial condition.

Chatman said that since lawyers front the cost of “high-risk, high-reward” class-action lawsuits their payout upon settlement is substantial — often more than a third of the total sum. If a settlement is reached with AT&T and the class is large enough, clients and attorneys could bag a hefty take-home prize.

But she said the solution to the lawsuit’s allegations doesn’t have to only be money. “If we were to say this cost everyone $100 a person, or if they say something like, ‘we want AT&T to pay for privacy monitoring, or to pay to freeze everyone’s credit reports, or to pay for people to have a service that monitors their credit, their privacy, whatever, in addition to the cash,’ courts can do that, too.”

Whatever the resolution, the scale of the breach means a quick, cheap and easy fix is unlikely.

”I think this is a pretty unique case, and so it’s pretty hard to say how much (AT&T) should be accountable for,” Yarborough said. “If you’re talking about as many as 100 million people, it’s hard to even talk about what a settlement or a verdict would look like. But let me tell you, it’s in the B-billions. No question.”