Communications Litigation Today was a Warren News publication.
'No Stranger to Data Breaches'

More AT&T Data Breach Actions Filed in Dallas, Plus First Outside Texas

Since AT&T announced Saturday that “data-specific fields” were part of a data set involving 7.6 million current and 65.4 million former customers released on the dark web March 16, nine negligence class actions have been filed in U.S. District Court for Northern Texas in Dallas, including five by Kendall Law.

The first such case outside of Dallas was filed Monday in U.S. District Court for Western Oklahoma in Oklahoma City, in which plaintiff Sam Knight, an Oklahoma resident, alleged (docket 5:24-cv-00324) AT&T’s cyber and data security systems “were completely inadequate and allowed cybercriminals to obtain files containing a treasure trove of millions” of individuals’ highly sensitive personally identifiable information (PII).

Two weeks after Knight's and class members’ PII was leaked on the dark web, AT&T “finally began notifying victims" of the data breach via email and letter, said the complaint. Information exposed on the dark web varied by customer and account but may have included Social Security numbers, full names, email and mailing addresses, phone numbers and dates of birth, plus AT&T account numbers and passcodes, said AT&T’s Sunday update.

AT&T reset customer passcodes as a precautionary measure, calling it an “extra layer of protection for AT&T accounts” and said it will reach out by mail and email to customers with compromised “sensitive personal information” and offer complimentary identity theft and credit monitoring services, said the update. The company urged customers to “remain vigilant by monitoring account activity and credit reports.” It noted customers can set up free fraud alerts at credit reporting bureaus Equifax, Experian and TransUnion.

Knight’s complaint said he wasn’t offered any credit monitoring services from AT&T “to help shoulder the burden” of the breach, but he added that free credit monitoring services would “not adequately address the lifelong harm that victims will face." The breach involves PII that cannot be changed, such as dates of birth, it said. And even with complimentary credit monitoring services, “the risk of identity theft and unauthorized use” of customers’ PII is “still substantially high,” the complaint said, noting that fraudulent activity resulting from breaches “may not come to light for years.”

AT&T is no stranger to data breaches,” said the complaint, referencing a March 2023 notification to 9 million wireless customers that their customer information had been accessed in a breach of a third-party marketing vendor.

In August 2021, a hacker group claimed it was selling data relating to more than 70 million AT&T customers, said the complaint. At the time, AT&T disputed the source of the data, but it “was re-leaked online earlier this month,” the complaint said, citing a March 22 TechCrunch article. The article said a data seller published the full 73 million AT&T records online on a known cybercrime forum, "allowing for a more detailed analysis of the leaked records." AT&T customers have since confirmed that their leaked data was accurate, it said.

Knight’s causes of action are negligence and negligence per se, unjust enrichment, invasion of privacy and breach of implied contract. He seeks injunctive relief enjoining AT&T from “further deceptive practices” and making false statements about the breach and stolen PII; awards of compensatory, exemplary, punitive and statutory damages; restitution; attorneys’ fees and costs; and pre- and post-judgment interest.

In a Tuesday complaint in the Dallas federal court, plaintiff Michael Lovetro, a Georgia resident, alleged (docket 3:24-cv-00783) AT&T “does not follow industry standard practices in securing former and current customers’ PII,” as evidenced by the data breach.

Lovetro trusted that when he provided his PII to AT&T for its services, that the company would use reasonable measures to protect it according to AT&T’s internal policies and state law, said the complaint. Lovetro “reasonably believed that a portion of the funds he paid to AT&T for its services would be used for adequate cybersecurity protection for his PII,” it said.

Due to AT&T’s “obfuscating language,” in its dark web notice, it’s unclear to Lovetro which of his PII was exposed, how long the breach occurred and “how long cybercriminals had unfettered access to his PII,” said the complaint. AT&T deprived Lovetro of the “earliest opportunity to guard his PII against” the effects of the data breach by “failing to immediately and promptly notify him about it,” it said.

Lovetro “fears for his personal financial security and uncertainty” over what PII was exposed in the data breach and is experiencing feelings of anxiety, sleep disruption, stress, fear, and frustration as a result of it, the complaint said. The eight-count complaint includes claims of negligence and breach of confidence, fiduciary duty and express contract. He requests awards of compensatory, exemplary, punitive and statutory damages; restitution; attorneys’ fees and costs; and pre- and post-judgment interest. AT&T didn't comment Tuesday.

Internet security company Norton emailed customers Tuesday with an AT&T data breach notification, saying the PII of 73 million customers had been "re-exposed" from the 2021 breach. It encouraged customers to take steps to help protect themselves, including updating software, changing passwords often and watching for phishing attempts.