ADT Data Breach Class Action Lawsuit, Were You an ADT Customer When ShinyHunters Stole 5.5 Million Records? — James v. ADT Inc., No. 9:26-cv-80546

ADT Inc. is facing a class action lawsuit — James v. ADT Inc., Case No. 9:26-cv-80546, filed in the U.S. District Court for the Southern District of Florida — alleging the home security giant failed to protect the personally identifiable information of millions of customers after a sophisticated hacking group broke into ADT’s cloud systems on or about April 20, 2026, and walked away with 5.5 million people’s names, addresses, phone numbers, partial Social Security numbers, and more.

Plaintiff Latonia James filed the class action lawsuit against ADT after a hacker infiltrated the company’s network on or about April 20, 2026, and exfiltrated sensitive customer data. The stolen information includes names, phone numbers, addresses, dates of birth, last four digits of Social Security numbers, and tax IDs. If you are or were an ADT customer, your information may already be sitting on the dark web.

ADT Data Breach Class Action Lawsuit — Key Facts

Field	Detail
Lawsuit Filed	May 2026
Defendant	ADT Inc. (NYSE: ADT), Boca Raton, Florida
Plaintiff	Latonia James
Case Number	9:26-cv-80546
Court	U.S. District Court, Southern District of Florida
Breach Date	On or about April 20, 2026
Alleged Harm	Failure to protect customer PII from a foreseeable cyberattack
Data Exposed	Names, phone numbers, addresses, dates of birth, last four digits of Social Security numbers, tax IDs
Records Affected	~5.5 million unique accounts (per breach notification service Have I Been Pwned)
Attacker	ShinyHunters cybercriminal group
Attack Method	Voice phishing (vishing) of employee Okta SSO credentials; Salesforce data exfiltration
Specific Law Alleged	FTC data security guidelines (federal); additional state law claims TBD — complaint on PACER
Who Is Affected	Current and former ADT customers and prospective customers whose PII was accessed
Current Court Stage	Early litigation — complaint filed, no class certified
Lead Plaintiff Deadline	TBD — not yet set by court
Settlement Status	No settlement — active lawsuit only
Remedy Sought	10+ years of credit monitoring for all class members; damages; declaratory judgment
Law Firm	Lynch Carpenter LLP (Nicholas A. Colella and Stephen E. Connolly)
ADT’s Response	Notified impacted individuals; offered complimentary identity protection; disclosed to SEC via 8-K on April 24, 2026
Last Updated	May 28, 2026

Who Is ADT and Why Does a Home Security Company Hold So Much of Your Personal Data?

Founded in 1874 as American District Telegraph, ADT is the oldest and largest home security company in the United States, currently providing monitored security and smart home solutions to over 6 million residential and small-business customers. When you sign up with ADT, you hand the company your full name, home address, phone number, date of birth, and in many cases partial Social Security and tax ID information — data needed to verify identity, run credit checks, and set up monitoring contracts.

That is exactly the data that ended up in the hands of hackers. ADT Inc. (NYSE: ADT) is a leading provider of security, interactive, and smart home solutions serving residential and small business customers in the U.S., with total revenue of approximately $1.3 billion in the first quarter of 2026 alone. A company that earns billions protecting other people’s property is now accused of failing to protect the sensitive personal information those customers gave it.

How ShinyHunters Broke Into ADT’s Systems and What They Took

This breach did not happen because of some exotic, unstoppable technical attack. It happened because a criminal group called ShinyHunters picked up the phone.

The extortion group told BleepingComputer that they had breached the company after compromising an employee’s Okta single sign-on (SSO) account in a voice phishing (vishing) attack. Using this employee account, the attackers said they gained access and stole data from the company’s Salesforce instance.

Voice phishing — or vishing — means someone called an ADT employee, pretended to be a trusted internal contact or IT support, and talked that employee into handing over their login credentials. With those credentials, the attackers logged into ADT’s Okta single sign-on system — the same system that unlocks access to a company’s other software — and from there accessed the Salesforce database holding millions of customer records.

On April 23, 2026, ShinyHunters listed ADT on its dark web leak site, claiming to have stolen over 10 million Salesforce records containing personally identifiable information and other internal corporate data. After ADT did not reach an agreement with the group, ShinyHunters leaked an 11 GB archive of stolen data on its dark web site.

The post issued a “Pay or Leak” ultimatum, demanding ADT respond by April 27, 2026, and threatened additional “digital problems” if the company refused to comply. ADT did not pay. The data is now publicly available on the dark web for any criminal who wants it.

Bloomberg Law reported on a separate class action against ADT filed around the same time, filed in the same Southern District of Florida court — a sign that multiple law firms see the same legal vulnerability in how ADT handled its customers’ data.

For additional context on how a ransomware or hacking group’s method of breaching a company — specifically targeting employee login credentials and cloud storage systems — creates legal liability, the Citizens Bank data breach class action coverage on AllAboutLawyer.com covers a nearly identical attack pattern from the same month, where the Everest ransomware group used comparable social engineering tactics to access customer data from a financial institution’s cloud environment. And if you want to understand how home-services companies’ breach litigation typically unfolds from complaint to settlement, the Brightspeed data breach lawsuit guide walks through the same legal framework in a consumer services context.

Related article: Country Bank for Savings $495K Fees Settlement, Check If You Are Owed a Payment, No Claim Needed, Kimball v. Country Bank for Savings, No. 2480CV00035

What ADT’s Prior Data Breaches Mean for This Lawsuit

This is not ADT’s first brush with hackers. ADT has previously disclosed two other data breaches in August 2024 and October 2024 that exposed employee and customer information.

Three breaches in under two years — two in 2024, one in April 2026 — is the detail that makes this lawsuit particularly significant. James alleges ADT maintained customer PII on systems it knew were vulnerable to cyberattack and failed to implement reasonable data security measures consistent with the Federal Trade Commission’s guidelines. When a company has already been breached twice and fails to fix the vulnerabilities that enabled those earlier attacks, courts have found that the third breach was foreseeable — and that foreseeability turns negligence into a much stronger legal claim.

Are You Part of the ADT Data Breach Class Action?

Here is exactly how to know whether this lawsuit includes you.

You may be covered if:

• You are a current or former ADT customer whose personal information was held in ADT’s Salesforce database as of April 2026
• You were a prospective ADT customer who provided your personal information to ADT for a quote or contract — the complaint explicitly covers prospective customers, not just active subscribers
• You received a data breach notification letter from ADT after April 20, 2026 — that letter is direct confirmation that ADT identified your data as part of the affected records
• Your name, phone number, address, date of birth, last four digits of your Social Security number, or tax ID was among the approximately 5.5 million records exposed

You likely do NOT qualify if:

• You have never been an ADT customer or prospective customer and provided no personal information to ADT
• You used a completely separate alarm company and have no ADT account history

Do ADT Customers Outside Florida Fall Under This Case?

Yes. This is a federal class action filed in the Southern District of Florida — where ADT is headquartered in Boca Raton. Federal class actions routinely cover plaintiffs nationwide regardless of where they live. ADT customers in Texas, California, New York, or any other state are all potentially included in the class if their data was exposed. Where you live does not determine whether you are covered — whether ADT held your data does.

If you are unsure whether your information was exposed in the ADT data breach, a free consultation with a data privacy attorney can help you assess your situation and what protective steps to take.

What ADT Customers Are Asking the Court to Award in the 2026 Data Breach Lawsuit

No money is available yet. No claim form exists. Here is what the complaint seeks so you understand what could come next.

The lawsuit seeks at least 10 years of credit monitoring for all class members, along with damages and a declaratory judgment that ADT continues to breach its legal duty to protect customer data.

The request for a decade of credit monitoring is notable and deliberate. James further argues that even where services have been offered, their duration and scope are wholly inadequate, given that breach victims commonly face multiple years of ongoing identity theft and financial fraud. ADT has offered complimentary identity protection to affected individuals — but the complaint argues that a short-term offer is not enough when the stolen data includes partial Social Security numbers and home addresses that criminals can exploit for years.

What Could ADT Customers Receive If This Case Settles?

No settlement exists and no timeline is set. In comparable data breach class actions involving millions of consumers, settlements have ranged from a few dollars per person in large classes to hundreds of dollars for victims who can document specific financial harm. Data breach settlements typically include a combination of a pro-rata cash payment, reimbursement for documented out-of-pocket losses such as credit monitoring costs or fraudulent charges, and extended identity protection services. A data privacy attorney can help you understand what your specific situation might be worth.

ADT Data Breach Lawsuit Timeline

Milestone	Date
ADT first data breach disclosed	August 2024
ADT second data breach disclosed	October 2024
ShinyHunters compromises ADT employee Okta SSO via vishing	On or about April 20, 2026
ADT detects unauthorized access to cloud-based environments	April 20, 2026
ADT discloses breach to SEC via Form 8-K	April 24, 2026
ShinyHunters lists ADT on dark web leak site	April 23, 2026
ShinyHunters “Pay or Leak” deadline	April 27, 2026
ShinyHunters leaks 11GB archive of stolen data	After April 27, 2026
Edelson Lechtzin LLP announces investigation	April 27, 2026
James v. ADT Inc. class action filed, S.D. Florida	May 2026
Class certification hearing	TBD — not yet scheduled
Expected resolution	TBD — case in earliest stage

What ADT Customers Should Do Right Now to Protect Themselves

Most class members are included automatically in a class action once a court certifies it — no immediate legal filing is required from you. But the protective steps below matter right now, because the stolen data is already circulating on the dark web.

1. Check if you received an ADT data breach notice. ADT said it directly notified all impacted individuals. If you received a letter or email from ADT about the April 2026 breach, save it. That document confirms your data was compromised and is evidence in any future claim process.
2. Place a credit freeze immediately. Contact all three major credit bureaus — Equifax, Experian, and TransUnion — and freeze your credit. A freeze is free and prevents criminals from opening new credit accounts in your name, even if they have your partial Social Security number and home address. A freeze does not hurt your existing credit.
3. Place a fraud alert on your credit file. A fraud alert requires lenders to verify your identity before issuing new credit. Unlike a freeze, one call to any of the three bureaus triggers alerts at all three.
4. Enroll in ADT’s offered identity protection — it does not waive your rights. Taking the free monitoring ADT offers does not prevent you from participating in a future class action settlement. Read the terms carefully, but in most cases accepting short-term credit monitoring does not release your legal claims.
5. Document every suspicious event from this point forward. Phishing emails, suspicious calls claiming to be from ADT or your bank, unfamiliar charges, or new accounts you did not open — write them down with dates. These records support a future compensation claim.
6. Monitor the case docket. James v. ADT Inc., Case No. 9:26-cv-80546, is in the U.S. District Court for the Southern District of Florida. Track it for free at CourtListener.com or PACER.gov.
7. Consider a personal fraud alert with the IRS. Because the breach includes tax IDs and partial Social Security numbers, tax-related identity theft is a real risk. The IRS Identity Protection PIN program can prevent someone from filing a fraudulent return in your name.

ADT Data Breach Class Action — Frequently Asked Questions, No. 9:26-cv-80546

Is there a class action lawsuit against ADT for the April 2026 data breach? 

Yes. James v. ADT Inc., Case No. 9:26-cv-80546, was filed in the U.S. District Court for the Southern District of Florida. Plaintiff Latonia James alleges ADT failed to implement reasonable cybersecurity measures that allowed ShinyHunters to compromise 5.5 million customers’ personal data on April 20, 2026.

Do I need to do anything right now to be included in the ADT data breach class action?

 No immediate legal filing is required. If the court certifies a class, eligible ADT customers are typically included automatically. Your priority right now is protecting yourself — freeze your credit, place a fraud alert, and document any suspicious activity.

My data was in the ADT breach. How serious is the risk of identity theft?

 Serious, and potentially long-lasting. The stolen data includes names, addresses, dates of birth, partial Social Security numbers, and tax IDs. With this combination, criminals can attempt to open credit accounts, file fraudulent tax returns, or pass identity verification checks. Unlike a stolen password, you cannot change your date of birth or Social Security number — which is why the lawsuit specifically requests a minimum of ten years of credit monitoring.

ADT offered me free identity protection. Does accepting it stop me from joining the class action? 

Almost certainly not, but read the terms of any offer carefully. In most data breach cases, accepting short-term credit monitoring does not constitute a legal release of your class action claims. If the offer includes any waiver or release language, consult a data privacy attorney before accepting.

Does this lawsuit cover prospective ADT customers who never became subscribers?

 Yes. The complaint explicitly covers customers and prospective customers — meaning anyone who submitted personal information to ADT in connection with a service inquiry, quote, or contract, even if they never activated service.

What specific cybersecurity failures does the ADT lawsuit allege? 

James alleges ADT maintained customer PII on systems it knew were vulnerable to cyberattack and failed to implement reasonable data security measures consistent with the Federal Trade Commission’s guidelines. The complaint further alleges ADT failed to disclose the breach’s full scope to affected individuals, regulatory authorities, and the public, leaving victims without information needed to protect themselves.

This is ADT’s third data breach in two years. Does that affect the case?

 It likely strengthens it considerably. Prior breaches put a company on notice that its systems are vulnerable. When a company fails to remediate known vulnerabilities after being breached once — let alone twice — courts have found that a subsequent breach was foreseeable and that the company’s failure to act was negligent rather than simply unlucky.

How much could ADT customers receive from a future data breach settlement? 

No money is available yet and no claim form exists. In comparable large-scale data breach settlements — including those involving millions of consumers and partial Social Security numbers — class members have received a mix of pro-rata cash payments, reimbursement for documented losses, and extended identity protection services. A data privacy attorney is the most reliable resource for estimating what your specific situation could be worth.

Sources Used in This ADT Data Breach Class Action Article

• BleepingComputer — “Home security giant ADT data breach affects 5.5 million people” (May 2026): https://www.bleepingcomputer.com/news/security/home-security-giant-adt-data-breach-affects-55-million-people/

Prepared by the AllAboutLawyer.com Editorial Team and reviewed for factual accuracy against the ADT SEC Form 8-K filing, BleepingComputer breach reporting, and court records on May 28, 2026. Last Updated: May 28, 2026.

This article is for informational purposes only and does not constitute legal advice. Consult a qualified data privacy attorney for advice about your specific situation.