How Much Can You Get in a Data Breach Lawsuit?

Most people who receive a data breach notification assume there is nothing they can do except change their password and hope for the best. That assumption leaves real money on the table. Data breach lawsuits have resulted in some of the largest consumer settlements in U.S. history, and even smaller cases regularly pay out hundreds or thousands of dollars per person. The amount you can get depends on several things — what data was exposed, where you live, how much you can document, and the scale of the breach.

The Two Types of Compensation

Before looking at numbers, it helps to understand the two main ways victims are compensated.

The first is statutory damages. Some state laws — most notably California’s CCPA — allow you to sue for a set dollar amount per person per incident, regardless of whether you suffered any actual financial loss. The CCPA’s private right of action provides for statutory damages of between $100 and $750 per consumer per incident. Consumers may also receive actual damages if they are greater, plus injunctive or declaratory relief. This matters because it removes one of the biggest barriers in data breach cases: proving harm.

The second is documented losses. If you actually suffered identity theft, fraudulent charges, costs to freeze your credit, or lost income dealing with the aftermath, you can claim those real-world expenses on top of or instead of statutory damages. Documented damages in data breach cases include economic damages such as fraudulent charges, credit monitoring fees, bank fees, and lost income, as well as non-economic damages such as emotional distress and loss of privacy.

In class action settlements, claimants typically choose one track: a smaller flat payment for those without documented losses, or a larger reimbursement for those who can show receipts, fraud reports, and records.

What Individual Payouts Actually Look Like

Most data breach settlements pay $25 to $5,000 depending on whether you have documented losses. That range reflects reality well. Here is how payouts break down across different settlement tiers:

For claimants without documented losses, payments are often small — anywhere from $25 to a few hundred dollars. The money is split among everyone who files a claim, so the more claimants in a large settlement, the smaller each person’s share.

For claimants with documented losses, the range rises substantially. In large class actions, individual payouts typically range from $25 to several hundred dollars without documented harm. If you suffered identity theft, financial fraud, or other documented harm, your share could be $5,000 to $10,000 or more.

In healthcare and financial breaches where sensitive data like Social Security numbers and medical records are exposed, courts and settlement negotiators tend to award more, because the potential for ongoing harm to victims is higher.

Major Settlements and What Victims Received

Looking at real settlements helps set expectations.

The Equifax 2017 breach exposed the personal information of nearly 150 million people. The overall settlement was $575–$700 million, including a $425 million consumer fund for credit monitoring and cash claims. The Equifax consumer claims period closed in January 2024, with reimbursement up to $20,000 for documented losses. The average payout per person was modest precisely because of the enormous number of claimants.

After a 2021 breach that affected 76 million U.S. customers, T-Mobile agreed to a $350 million settlement for consumers, with T-Mobile also committing $150 million to improve its cybersecurity practices.

Capital One faced a class-action lawsuit after a hacker accessed data from approximately 100 million customers. In 2025, the company reached a $190 million consumer class settlement.

AT&T agreed to a $177 million settlement covering two data breaches that exposed the information of 73 million customers. Eligible claimants could receive up to $7,500 combined for those affected by both breaches, with payouts expected by spring 2026 pending final court approval.

On the smaller end, Absolute Dental Group agreed to a $3.3 million settlement for a 2025 breach that exposed patient Social Security numbers and health data, with claimants eligible for up to $5,000 in documented losses, and California residents eligible for double payment.

Related article: California Consumer Privacy Act CCPA Lawyer, Role, Cost, and When Your Business or Claim Needs One

What Factors Determine How Much You Get

Several things push individual compensation up or down.

The scale of the breach matters enormously. Large-scale breaches like Equifax or Yahoo typically result in smaller payouts per person due to the number of affected individuals. Smaller breaches, especially in healthcare or telecom, can provide more substantial compensation per person. A $50 million settlement split among 10 million claimants pays very differently from a $5 million settlement split among 50,000.

Where you live affects your rights. In California, where data protection laws are robust, victims can claim higher damages under the CCPA. Other states have their own laws, and some offer significantly less protection. The CCPA is currently unique in allowing statutory damages without proof of actual harm.

Documentation is one of the biggest factors within your control. If someone actually used your stolen data, your claim is worth more. Identity theft, fraudulent charges, or unauthorized account openings all increase the damages you can prove. Save every receipt, every fraud report, every communication from your bank, and every hour you spent dealing with the fallout.

The company’s conduct also matters. Courts and negotiators consider whether the company had reasonable cybersecurity protections in place. Evidence of weak systems or ignored warnings often drives higher payouts.

Class Action vs. Individual Lawsuit

Most data breach victims join class actions rather than pursuing individual claims. Class actions allow thousands of people to pool resources and sue together, which is practical when individual losses are hard to quantify. The tradeoff is that individual payouts are smaller.

In most class actions, you are automatically included unless you opt out. If you do nothing, you will receive whatever the class gets. But you also have the right to opt out and pursue your own individual claim. An individual lawsuit makes the most sense when you suffered substantial, documented harm — significant identity theft, financial loss, or a sustained period of dealing with fraud — that is worth pursuing separately with your own attorney.

A key feature of CCPA statutory damages is that plaintiffs need not prove actual damages to receive significant monetary awards. This means businesses that hold personal information can quickly accumulate significant potential exposure when the statutory damage amount is multiplied by large groups of plaintiffs. That legal pressure is exactly what drives companies to settle.

How Long It Takes to Get Paid

Most data breach cases take one to three years from the breach to the final payout. The process includes investigation, filing the lawsuit, discovery, negotiation, and court approval. Some cases settle faster if the company wants to avoid bad press. Others drag on if the company fights every step.

After a settlement is reached, there is still a court approval process, an opt-out period, a claims window, and then actual distribution of funds. Even after all that, appeals can delay payment further.

The Mistake That Costs People Their Compensation

The reason most eligible people never collect is that they miss the deadline, use the wrong website, or do not know the settlement exists. Claims deadlines are firm. If you miss the window, you permanently give up your right to compensation from that settlement.

To check if you are eligible for any open settlements, visit AllAboutlawyer.com, or the official settlement website for any breach you were notified about. For more on recent high-profile cases, see our coverage of the Gmail $425M Privacy Settlement and the Apple $95M Siri Settlement on AllAboutLawyer.com.

Frequently Asked Questions

Do I need to prove I was harmed to get money from a data breach lawsuit? 

Not always. Under the CCPA, statutory damages of between $100 and $750 per consumer per incident are available without needing to show quantifiable injury from the loss of control over personal information. Other states may require proof of actual harm.

How much do I get if I just file a basic claim without documented losses? 

Most data breach settlements pay $25 to $5,000 depending on whether you have documented losses. Without documentation, expect the lower end of that range, often between $25 and $200, depending on how many people file claims.

What if I can prove I suffered identity theft or fraud?

 Your claim is worth significantly more. If you suffered identity theft, financial fraud, or other documented harm, your share could be $5,000 to $10,000 or more. Save all evidence: police reports, bank statements, fraud alerts, and receipts for any costs you incurred.

Can I opt out of a class action and sue on my own?

 Yes. If you suffered large, provable losses, opting out and filing your own individual lawsuit may result in higher compensation than your share of a class settlement. Speak with a data breach attorney to evaluate which path makes more sense for your situation.

How do I find out if there is a settlement I can claim?

 Check AllAboutlawyer.com, the FTC’s website at consumer.ftc.gov, and HaveIBeenPwned.com. If you received a breach notification letter, it often includes information about any settlement or a dedicated claims website.

Will I owe taxes on a data breach settlement payout?

 It depends on the nature of the payment. Compensation for documented out-of-pocket losses is generally not taxable. Punitive or statutory damages may be. Consult a tax professional if your payout is substantial.

Sources: California Attorney General, CCPA Consumer Rights; Skadden, CCPA Statutory Damages Analysis (April 2025); ClassActionU, Average Settlement of Data Breach Lawsuits (February 2026); The Simon Law Group, Data Breach Settlement Guide; AllAboutlawyer.com, settlement database; MoneyPilot, Data Breach Settlement Guide (2026)

Disclaimer: This article is for general informational purposes only and does not constitute legal advice. Settlement amounts vary significantly based on individual circumstances, state laws, and the specific terms of each case. Consult a licensed attorney to understand your rights in a specific situation.