The Federal Communications Commission announced this week that Comcast will pay a $1.5 million civil penalty to resolve an investigation into a 2024 data breach at one of its former debt-collection vendors that exposed the personal information of approximately 237,000 current and former customers.
According to the FCC’s enforcement bureau, the compromised data belonged to subscribers of Comcast’s Xfinity internet, television, and home-security services. The breach occurred at Financial Business and Consumer Solutions (FBCS), a third-party debt collector that Comcast had retained until 2022. Even though the business relationship ended two years earlier, FBCS continued to store Comcast customer records containing sensitive personal information.
The incident came to light in early 2024 when FBCS notified affected individuals that cybercriminals had gained unauthorized access to its systems. The exposed information reportedly included names, addresses, dates of birth, partial or full Social Security numbers, account numbers, and details about services subscribers had purchased from Comcast. In some cases, driver’s license numbers and security questions used for account verification were also compromised.
FCC investigators determined that Comcast failed to implement adequate oversight of its former vendor’s data-security practices after the relationship ended. Although Comcast had contractually required FBCS to maintain reasonable security measures and to delete customer data o
Comcast cybersecurity rating report: https://www.rankiteo.com/company/comcast
"id": "COM1764424503",
"linkid": "comcast",
"type": "Breach",
"date": "1/2024",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': '237,000',
'industry': ['telecommunications',
'internet service',
'cable television',
'home security'],
'location': 'United States',
'name': 'Comcast (Xfinity)',
'size': 'large (Fortune 50 company)',
'type': 'telecommunications and media '
'conglomerate'},
{'customers_affected': None,
'industry': 'financial services (debt '
'collection)',
'location': None,
'name': 'Financial Business and Consumer '
'Solutions (FBCS)',
'size': None,
'type': 'third-party debt collection '
'vendor'}],
'customer_advisories': ['FBCS notified affected individuals of '
'the breach'],
'data_breach': {'data_encryption': None,
'data_exfiltration': True,
'file_types_exposed': None,
'number_of_records_exposed': '237,000',
'personally_identifiable_information': True,
'sensitivity_of_data': 'high (includes SSNs, '
'driver’s license '
'numbers, security '
'questions)',
'type_of_data_compromised': ['personally '
'identifiable '
'information (PII)',
'financial data',
'account '
'verification '
'data']},
'date_publicly_disclosed': '2024-05-00',
'description': 'The Federal Communications Commission (FCC) '
'announced that Comcast will pay a $1.5 million '
'civil penalty to resolve an investigation into a '
'2024 data breach at its former debt-collection '
'vendor, Financial Business and Consumer '
'Solutions (FBCS). The breach exposed the '
'personal information of approximately 237,000 '
'current and former Comcast customers, including '
'subscribers of Xfinity internet, television, and '
'home-security services. The compromised data '
'included names, addresses, dates of birth, '
'partial or full Social Security numbers, account '
'numbers, service details, driver’s license '
'numbers (in some cases), and security questions '
'used for account verification. The FCC '
'determined that Comcast failed to implement '
'adequate oversight of FBCS’s data-security '
'practices after terminating the business '
'relationship in 2022.',
'impact': {'brand_reputation_impact': 'potential reputational '
'damage due to exposure of '
'sensitive customer data',
'conversion_rate_impact': None,
'customer_complaints': None,
'data_compromised': ['names',
'addresses',
'dates of birth',
'partial/full Social Security '
'numbers',
'account numbers',
'service purchase details',
'driver’s license numbers (in '
'some cases)',
'security questions for account '
'verification'],
'downtime': None,
'financial_loss': '$1.5 million (FCC civil penalty)',
'identity_theft_risk': 'high (due to exposure of '
'SSNs, driver’s license '
'numbers, and security '
'questions)',
'legal_liabilities': ['FCC investigation',
'$1.5 million civil penalty'],
'operational_impact': None,
'payment_information_risk': None,
'revenue_loss': None,
'systems_affected': ['FBCS (Financial Business and '
'Consumer Solutions) systems']},
'initial_access_broker': {'backdoors_established': None,
'data_sold_on_dark_web': None,
'entry_point': None,
'high_value_targets': ['Comcast '
'customer PII'],
'reconnaissance_period': None},
'investigation_status': 'resolved (FCC settlement reached)',
'lessons_learned': ['Importance of post-contractual vendor '
'oversight',
'Need for explicit data deletion clauses '
'with third-party vendors',
'Risks of retaining customer data beyond '
'necessary periods'],
'motivation': ['financial gain', 'data theft'],
'post_incident_analysis': {'corrective_actions': ['$1.5 million '
'civil penalty '
'paid to FCC',
'Likely '
'internal '
'policy '
'reviews for '
'third-party '
'vendor '
'management'],
'root_causes': ['Comcast’s failure to '
'oversee FBCS’s '
'data-security '
'practices '
'post-contract '
'termination',
'FBCS’s retention of '
'Comcast customer '
'data beyond the end '
'of the business '
'relationship',
'Inadequate security '
'measures at FBCS '
'leading to '
'unauthorized '
'access']},
'ransomware': {'data_encryption': None,
'data_exfiltration': True,
'ransom_demanded': None,
'ransom_paid': None,
'ransomware_strain': None},
'recommendations': ['Implement stricter vendor data-security '
'audits, even after contract termination.',
'Enforce contractual obligations for timely '
'deletion of customer data by third parties.',
'Enhance monitoring of third-party vendors '
'handling sensitive customer information.',
'Provide identity theft protection services '
'to affected customers.'],
'references': [{'date_accessed': None,
'source': 'Federal Communications Commission '
'(FCC)',
'url': None}],
'regulatory_compliance': {'fines_imposed': '$1.5 million',
'legal_actions': ['FCC enforcement '
'action'],
'regulations_violated': ['FCC data '
'security and '
'vendor '
'oversight '
'requirements'],
'regulatory_notifications': ['FCC '
'investigation '
'and '
'public '
'disclosure']},
'response': {'adaptive_behavioral_waf': None,
'communication_strategy': ['notification to '
'affected individuals by '
'FBCS'],
'containment_measures': None,
'enhanced_monitoring': None,
'incident_response_plan_activated': None,
'law_enforcement_notified': None,
'network_segmentation': None,
'on_demand_scrubbing_services': None,
'recovery_measures': None,
'remediation_measures': None,
'third_party_assistance': None},
'threat_actor': 'cybercriminals',
'title': 'Comcast Data Breach via Former Debt-Collection Vendor '
'(2024)',
'type': ['data breach', 'third-party vendor compromise'],
'vulnerability_exploited': ['inadequate vendor oversight',
'improper data retention by '
'third-party vendor']}