Recent data breach settlements in the United States have reached historic proportions, with Capital One’s $190 million settlement and AT&T’s $177 million settlement among the largest in history. However, the question of which single breach represents the absolute largest depends on how you measure it—by total settlement value, number of affected individuals, or sensitivity of the data exposed. What’s clear is that 2025 and 2026 have seen an unprecedented wave of major settlements, with dozens of companies settling data breach claims for tens or hundreds of millions of dollars. PowerSchool’s $17.25 million settlement, announced in February 2026, is being called one of the largest student privacy breaches in U.S.
history, affecting over 10 million student records. This article examines the largest recent data breaches and settlement payouts, explains what determines payout amounts, walks through how to file claims, and covers important deadlines and limitations that affect eligibility. The magnitude of these settlements reflects both the scale of modern data breaches and growing legal accountability. A single breach today can expose millions of people’s personal information, financial records, or sensitive data like student information, making the potential damages enormous. Courts and defendants increasingly recognize this reality, resulting in settlements that often exceed $100 million.
Table of Contents
- What Are the Largest Data Breaches and Settlement Payouts in Recent History?
- How Settlement Amounts Compare and What Factors Determine Payout Sizes
- Recent Major Settlements Being Decided in 2026
- How to Determine If You’re Eligible for These Data Breach Settlements
- Important Limitations and What Settlements Don’t Cover
- Timeline and Deadlines for Claims
- What’s Changing in Data Breach Law and Future Settlements
- Conclusion
What Are the Largest Data Breaches and Settlement Payouts in Recent History?
The most significant data breach settlements of the past two years include Capital One’s $190 million settlement, which was finalized in 2025 after a hacker accessed data from approximately 100 million customers. This remains one of the largest settlements ever for a data breach. The AT&T data breach settlement, worth $177 million, covers 73 million affected customers and came with a Final Approval Hearing in January 2026; the court is still considering full approval.
Eligible AT&T customers could receive up to $7,500 per person, depending on the extent of their claims and how many total eligible claimants file. Beyond these telecommunications giants, other significant settlements include Yale New Haven Health’s $18 million settlement related to inadequate cybersecurity controls, PowerSchool’s $17.25 million settlement affecting over 10 million student records, Nelnet’s $10 million settlement for a 2022 data breach with a final fairness hearing scheduled for May 5, 2026, and Complete Payroll Solutions’ $2.6 million settlement covering approximately 376,943 individuals. Each of these settlements reflects different categories of breaches—healthcare, education, financial, and payroll—showing that no industry is immune from major data exposure incidents.
How Settlement Amounts Compare and What Factors Determine Payout Sizes
The size of a data breach settlement depends on several factors beyond just the total settlement value. The number of affected individuals is critical; the Capital One settlement divided $190 million among approximately 100 million people, while the PowerSchool settlement divides $17.25 million among over 10 million student records, showing how individual payouts can vary dramatically. However, if you’re in a settlement with fewer eligible claimants—as with smaller breaches affecting thousands rather than millions—your individual payout may be larger. For example, Complete Payroll Solutions’ $2.6 million settlement covered 376,943 people, potentially resulting in higher per-person awards than larger settlements with millions of claimants.
The type of data exposed also matters significantly. Settlements for breaches exposing Social Security numbers, financial account information, or medical records tend to be larger than breaches involving names and addresses alone. The strength of the plaintiffs’ legal case and whether the defendant was negligent in protecting data also influence final settlement amounts. A critical limitation to understand: once a settlement is reached, the amount doesn’t change based on how many people file claims. If a settlement totals $100 million and only 50,000 people claim it instead of the expected 500,000, the remaining money doesn’t go to claimants—it goes to cy pres awards (donated to related nonprofits) or back to the defendant in some cases, making early filing important.
Recent Major Settlements Being Decided in 2026
Several settlements are currently in critical approval phases in 2026, making this an important time for affected individuals to monitor deadlines. The PowerSchool settlement received preliminary approval in march 2026 from Judge Jorge L. Alonso of the U.S. District Court for Northern District of Illinois. This is one of the largest education data breaches ever, affecting student records including names, addresses, Social Security numbers, and in some cases enrollment and special education information.
The Nelnet settlement had a claims deadline that closed on March 5, 2026, and the final fairness hearing is scheduled for May 5, 2026—if you missed the March 5 deadline, you likely cannot participate in this settlement. The AT&T settlement, with its January 2026 Final Approval Hearing, is still awaiting full court approval as of March 2026. The potential payouts of up to $7,500 per person for 73 million customers make this settlement particularly significant, and approval timing could affect when payments begin. Complete Payroll Solutions received preliminary approval on February 18, 2026, moving it closer to full approval and the start of actual payment distribution. If you were affected by any of these breaches, checking your eligibility status now is crucial—many settlements have strict claim deadlines, often 4-6 months after preliminary approval.
How to Determine If You’re Eligible for These Data Breach Settlements
Eligibility for a data breach settlement typically requires proving that you were affected by the specific breach. For the Capital One settlement, AT&T settlement, or other company-specific breaches, you would need to have been a customer or subscriber during the time the breach occurred and had data exposed. Most settlements allow you to submit claims online through a dedicated settlement website or claims administrator. The AT&T settlement, for instance, direct claimants to the official settlement site at telecomdatasettlement.com to register and provide proof of loss.
The type of proof required varies by settlement. Some require only your name and basic identifying information to cross-reference against the breach victim list. Others ask for documentation of damages—such as credit monitoring costs, identity theft expenses, or time spent resolving issues. A critical distinction: if you’ve already received free credit monitoring or identity theft protection from the company, you may still be eligible for a monetary award, but that company-provided protection typically doesn’t reduce your payout amount. However, if you’re claiming reimbursement for services you paid for yourself, you’ll need receipts or proof of purchase to support your claim.
Important Limitations and What Settlements Don’t Cover
Data breach settlements compensate for specific types of losses, but they come with important limitations. Most settlements do not cover speculative damages or future harm. If you worry that your exposed data might be used fraudulently in the future, a settlement check acknowledges the breach risk but doesn’t guarantee compensation for every worst-case scenario. You can typically claim reimbursement for credit monitoring or identity theft protection services you actually purchased, identity theft-related expenses, unreimbursed losses from fraud or identity theft, time spent resolving issues (though time claims are often capped), and, in some cases, emotional distress (though these awards tend to be modest).
What settlements generally don’t cover is liability protection if you later suffer identity theft or fraud. If someone uses your stolen Social Security number to open accounts years after settling, the settlement doesn’t guarantee additional compensation—your remedy would typically be limited to your identity theft insurance or a separate legal claim. Additionally, settlements don’t typically cover consequential damages like harm to your credit score or higher insurance rates, even though these are real financial harms. Finally, if you missed the claim deadline for a particular settlement, you’re excluded entirely; missing the deadline is not grounds for extending it in most cases, making it essential to monitor settlement notices and act quickly.
Timeline and Deadlines for Claims
Data breach settlements operate on strict timelines, and missing a deadline typically means forfeiting your right to any payment. The Nelnet settlement provides a clear example: claims had to be submitted by March 5, 2026, and anyone who missed that deadline cannot recover from this settlement. The final fairness hearing, scheduled for May 5, 2026, is when the court decides whether to grant full approval and authorize payments. Most settlements follow a similar pattern: preliminary approval (often 2-4 months after the settlement is announced), a claims filing period (typically 4-6 months), a final fairness hearing, and then payment distribution (often 2-4 months later).
For the AT&T settlement, the Final Approval Hearing occurred in January 2026, but as of March 2026, the court has not yet granted full approval. If you were affected, claims are still being accepted, but waiting until after approval is riskier—submit your claim soon rather than waiting to see if approval happens. For PowerSchool, with preliminary approval in March 2026, expect a claims deadline sometime in mid-2026; sign up for email notifications from the claims administrator to ensure you don’t miss the deadline. The complete payroll solutions settlement, with preliminary approval in February 2026, will likely have claims deadlines in summer 2026. Setting calendar reminders for these dates is essential to protect your rights.
What’s Changing in Data Breach Law and Future Settlements
Data breach settlements are becoming more common and, in many cases, larger, as courts and regulators increasingly hold companies accountable for cybersecurity failures. State data privacy laws, including California’s Consumer Privacy Act (CCPA) and similar laws in other states, are giving consumers more legal standing to sue companies over breaches. Federal legislation proposals have also sought to create minimum cybersecurity standards and stricter liability for companies that fail to protect consumer data. These legal trends suggest that the massive settlements we’re seeing in 2025 and 2026 may be part of a lasting shift toward greater accountability.
One emerging trend is the increasing importance of security failures in settlement negotiations. The Yale New Haven Health settlement, for example, was explicitly tied to inadequate cybersecurity controls—the company wasn’t just breached, it was breached partly because it failed to implement basic security measures. This distinction matters: companies that suffer breaches despite reasonable security practices may face smaller settlements or defenses, while companies that negligently failed to protect data face larger payouts. For consumers, this means that future settlements may become more common but also more focused on cases where companies clearly dropped the ball.
Conclusion
While no single recent breach has been definitively labeled “the largest in U.S. history,” the Capital One settlement ($190 million), AT&T settlement ($177 million), and PowerSchool settlement ($17.25 million) are among the largest and most significant. These settlements reflect the scale of modern data breaches and growing legal accountability, with potential individual payouts ranging from a few hundred dollars to several thousand dollars depending on the settlement and number of claimants.
If you were affected by any major data breach in the past few years, you likely have a window of opportunity to file a claim and recover compensation. The critical next step is to act immediately: check whether you’re affected by any of these settlements, verify you have the correct claim deadline, and submit your claim as soon as possible. Visit official settlement websites directly (such as telecomdatasettlement.com for AT&T) rather than third-party claim administrators. Monitor your email for settlement notices, set calendar reminders for deadlines, and don’t assume you’ll remember to claim later—missing the deadline is the most common reason people fail to recover compensation they’re entitled to.