Back in 2017, The Economist made a bold call: data had officially overtaken oil as the world’s most valuable resource. Over the last few years, both consumers and companies have learned exactly what that means in practice.
For consumers, the scale is impossible to ignore. In 2024 alone, over 1.35 billion people in the U.S. were affected by breaches, leaks, and exposures.
For companies, the wake-up call comes later: usually when they’re hit with a class action lawsuit for failing to protect that data. And these cases can reach hundreds of millions of dollars in payouts, penalties, and mandated improvements.
This article breaks down the 10 biggest data breach lawsuits and class action settlements, telling the story—and the numbers—behind each one.
Key takeaways
- Massive data breaches are now routine, not rare
The number of affected individuals keeps climbing. Every industry has been hit: telecom, healthcare, finance, retail, hospitality, and even genetics companies. - Consumer payouts vary widely depending on the breach
Some settlements funnel hundreds of millions to consumers, while others direct most funds to banks, regulators, or system upgrades. Payment amounts range from small cash payouts to thousands of dollars for documented losses. - Medical and genetic data breaches carry the highest long-term risk
Anthem and 23andMe show that health and genetic information can’t be “changed” like a password. These breaches often result in longer monitoring periods, higher settlement pressure, and more legal scrutiny because the harm can follow victims for life. - Companies repeatedly miss basic security measures
Many major breaches can be traced back to preventable failures: misconfigured cloud servers, outdated systems, weak vendor access controls, reused passwords, and delayed disclosure. - You may be eligible for compensation without realizing it
Many settlements offer cash, reimbursements, or free monitoring, yet millions miss out because they’re unaware of the settlement or the process feels overwhelming. Settlemate takes care of it for you: it automatically matches you to eligible claims, simplifies filing, tracks deadlines, and helps you secure the compensation you’re owed.
10 data breach lawsuits that prove your data is worth millions
Ranking the “biggest” data breach lawsuits isn’t as simple as stacking dollar amounts. It all depends on what you’re measuring.
Does “biggest” refer to the total headline value, the actual per-person payout to customers, or the final cost to the company?
This top-10 list zeroes in on U.S. consumer-focused data breach settlements and their total payout amounts. There are no investor lawsuits, security cases, or hard-to-value non-cash relief—just the settlements that matter to regular people who had their data exposed.
1. Equifax: The credit bureau breach that forced a $700-million reckoning
In 2017, Equifax, one of the country’s three major credit bureaus, admitted that a vulnerability in its system had exposed the most sensitive data Americans have: Social Security numbers (SSNs), birth dates, addresses, and credit files.
Roughly 147 million people were swept into the breach, making it one of the most severe identity-exposure events in U.S. history.
Regulators, states, and consumers moved quickly, and the result was a global settlement worth up to $700 million.
Most of the money was aimed at the people whose identities were put at risk. The rest went to state agencies and federal regulators responsible for enforcing consumer-protection laws.
Here’s the exact breakdown:
- Up to $425 million for consumer relief
- $175 million to U.S. states and territories for state-level enforcement penalties
- $100 million civil penalty to the Consumer Financial Protection Bureau for violating consumer-protection laws
2. T-Mobile: The cyberattack that came with a $350-million price tag
In August 2021, T-Mobile, one of the largest wireless carriers in the U.S., confirmed that a major cyberattack exposed the personal data of roughly 76 million U.S. customers. The specific leaked information included a mix of:
- Names and dates of birth
- Addresses and ZIP codes
- Phone numbers
- SSNs or tax ID numbers
- Government ID details (e.g., driver’s license numbers)
- Account-related data (e.g., PINs and personal unlock codes)
This was one of the largest telecom breaches in recent history, and the fallout was immediate.
Multiple class actions were consolidated, and in 2022, the company agreed to a $350-million settlement for affected customers. Although we don’t know exactly how the money was distributed, we do know it went toward:
- Cash payments for out-of-pocket losses and lost time
- Alternative cash payments for those who chose not to file detailed claims
- Identity defense services (e.g., identity monitoring)
- Restoration services for all settlement class members
- Service awards to class representatives
- Administrative costs and lawyer fees
T-Mobile also paid another $150 million to overhaul its data security systems and prevent a catastrophe like this from happening again.
3. Capital One: The cloud-server misconfiguration that cost the bank $190 million
In 2019, a former Amazon Web Services engineer took advantage of an improperly configured cloud firewall to access the personal data of more than 100 million customers and applicants of Capital One, one of the largest banks and credit-card issuers in the U.S.
The stolen information covered years of credit-card applications and included:
- Names and dates of birth
- Addresses and ZIP codes
- Phone numbers and email addresses
- Credit details
- A smaller set of SSNs and linked bank account numbers
In 2021, Capital One agreed to a $190-million class action settlement to compensate affected consumers. The table below breaks down the plans for the distribution of this settlement:
4. AT&T: The two-tier data breach that triggered a $177-million payout
For most companies, a single data breach is a nightmare. AT&T, another major U.S. wireless carrier, had to weather two massive incidents in 2014, compounding the fallout.
In March, a massive dataset containing AT&T-specific account fields, including names, addresses, passcodes, and, in some cases, SSNs, appeared on the dark web. The leak impacted about 7.6 million current customers and more than 65.4 million former account holders.
Then in July, a second incident hit: call and text metadata was illegally downloaded from an AT&T workspace hosted on Snowflake, exposing phone numbers, interaction counts, and limited cell-site information.
Both events have now been consolidated into a proposed $177-million settlement for two classes:
- AT&T 1 Class (March breach) – up to $5,000 for documented losses or a cash payment, with higher compensation for those whose Social Security numbers were exposed
- AT&T 1 Class (July breach) – up to $2,500 for documented losses or a pro-rata cash payment for customers without documentation
5. Yahoo: The multi-year security meltdown that led to a $117.5-million settlement
Between 2012 and 2016, Yahoo, one of the largest email and web service providers in the world, suffered a cascade of intrusions and full-scale data breaches, ultimately exposing all 3 billion accounts.
Email addresses, hashed passwords, security questions, and other personal information were compromised, and plaintiffs argued the company failed to secure its systems and waited too long to alert users.
After an earlier deal was rejected by the court, Yahoo reached a revised $117.5-million settlement.
Here’s how that money was allocated:
- At least $55 million for out-of-pocket losses and time spent
- About $24 million for two years of credit-monitoring services
- Up to $30 million for lawyer fees
- Up to $8.5 million for notice and administration costs
6. Anthem: The medical-data breach that became a $115-million settlement
In early 2015, Anthem, one of the largest health insurers in the U.S., revealed a cyberattack that exposed the personal information of 78.8 million current and former members, including SSNs, birth dates, addresses, and medical ID numbers.
Because medical and identity data can be misused for years, the breach was considered one of the most dangerous of its time.
Victims and state regulators alleged Anthem failed to maintain reasonable security, detect the intrusion quickly, and disclose its vulnerabilities.
After extensive litigation, Anthem agreed to a $115 million settlement, the largest consumer data-breach settlement in U.S. history at the time.
Here’s how the settlement benefits were structured:
- At least two years of premium, three-bureau credit monitoring or an alternative cash payment
- About $15 million for out-of-pocket reimbursement (up to $10,000 per person)
- Funding for fraud-resolution services and several years of mandated security improvements
7. MGM Resorts: The double-hit hotel breach that ended in a $45-million payout
MGM Resorts International, one of the largest casino and hospitality brands in the world, also saw a pair of major data incidents culminate in a unified consumer settlement.
The first breach, in 2019, exposed the personal information of tens of millions of hotel guests, including names, contact details, and dates of birth.
Four years later, in 2023, a ransomware attack crippled Las Vegas operations, shutting down slot machines and ATMs, and leaked even more sensitive data, including:
- Passport numbers
- Driver’s licenses
- Military IDs
- SSNs
MGM agreed to a $45-million settlement resolving 22 consolidated class actions. The benefits were structured as:
- $20–$75 cash payments per person, depending on the sensitivity of the data exposed
- Up to $15,000 for documented out-of-pocket losses
- One year of financial-account monitoring for affected customers
8. 23andMe: The genetic-data breach that led to a $50-million settlement
In 2023, hackers gained access to roughly 6.4 million 23andMe customer accounts by exploiting reused passwords, then used the platform’s “DNA Relatives” feature to scrape ancestry profiles, genetic matches, health indicators, and sensitive demographic data.
Unlike typical breaches involving emails or credit cards, stolen genetic information can’t be changed, revoked, or reissued. That permanence—and the fact that the attackers specifically targeted Ashkenazi Jewish and Chinese ancestry groups—made this incident especially alarming.
A $30 million class settlement was initially reached in 2024, offering compensation for economic losses and years of identity and genetic-monitoring services.
But after 23andMe entered Chapter 11 bankruptcy and was sold to a non-profit tied to its founder, lawyers pushed for more.
The result was a revised fund of up to $50 million to cover U.S. claims, extraordinary-loss payments, and five years of monitoring for affected customers in this major health data breach.
9. Home Depot: The point-of-sale hack that triggered a $200-million fallout
In 2014, Home Depot, the world’s largest home improvement retailer, suffered a major point-of-sale breach after attackers used stolen vendor credentials and deployed custom malware across U.S. and Canadian self-checkout lanes. The attack exposed 56 million payment cards and 53 million email addresses.
Although the total financial fallout reached roughly $200 million, only a fraction went to consumers: $19.5 million. The money was primarily used for credit-monitoring services. $134.5 million went to banks and card networks to cover fraud and card-reissuance costs.
As for the rest, it covered the costs of internal and external investigations, as well as legal fees and regulatory fines.
The learning curve isn’t over: in 2024, Home Depot revealed a new incident involving leaked employee data.
10. Target: The holiday breach that caused a multi-front settlement topping $67.9 million
In late 2013, Target, one of the largest big-box retailers in the country, was hacked after attackers used stolen third-party vendor credentials to infiltrate the system.
The breach compromised up to 40 million debit and credit cards and exposed personal data for millions more.
While Target ultimately estimated its total breach costs at $202 million, the formal settlements broke down as follows:
- $67 million to Visa in a separate agreement
- $39.4 million to resolve claims brought by banks
- $18.5 million to State Attorneys General to settle a multistate investigation
- $10 million to a consumer fund for affected consumers
Protect yourself before the next breach hits
Given the scale and frequency of modern data breaches, the risk of your information being exposed at some point is quite high.
But instead of doom-scrolling headlines or hoping companies notify you and guide you through the claims process, you can take control with a tool designed to help you get compensated: Settlemate.
Settlemate makes filing data breach claims fast, simple, and stress-free. No legal jargon. No hunting for forms. No missed deadlines.
Here’s how Settlemate helps you get the money you’re owed:
- Automatic claim matching: Instantly see which active data breach settlements you may qualify for, so you never miss an opportunity.
- Simplified filing: Settlemate pre-fills what it can and guides you directly to the official claim portal.
- Deadline & status tracking: Stay on top of claim windows, proof requirements, and payment timelines without lifting a finger.
- Payout-focused follow-through: From cash reimbursements to credit monitoring, Settlemate tracks every benefit until you actually receive it.
A data breach can feel overwhelming, but claiming your compensation doesn’t have to.
Download Settlemate today on the App Store or Google Play and join a data breach class action lawsuit in minutes.
