The FCC's Enforcement Bureau said Comcast has agreed to pay $1.5 million to resolve a vendor data breach that exposed personal data from more than 237,000 current and former customers.
In an order (PDF) published last week, Comcast's "voluntary contribution" of $1.5 million is being combined with a compliance plan that includes, among other things, "certain Vendor oversight practices related to customer privacy and information protection." Tied in, Comcast will take steps to "enhance an existing data inventory program" designed to accurately track personally identifiable subscriber information that is shared with vendors.
Comcast told Reuters that it "was not responsible for and has not conceded any wrongdoing in connection with this incident."
As Light Reading reported in October 2024, Comcast had notified 237,703 customers that data, including home addresses and social security numbers, was stolen through a ransomware attack on a third-party debt collection agency – Financial Business and Consumer Solutions (FBCS) – that is no longer used by Comcast. CF Medical/Capio and Truist Bank were also impacted by the cybersecurity attack on FBCS.
Former vendor alerted Comcast of data breach in 2024
FBCS had originally notified Comcast in March 2024 that it had been the target of a data breach, but that Comcast consumer data was not impacted. Then, in July 2024, FBCS followed up to inform Comcast that a new finding had discovered some Comcast data was impacted. An FBCS investiga
Source: https://www.lightreading.com/security/comcast-to-pay-1-5m-to-resolve-vendor-data-breach
Comcast cybersecurity rating report: https://www.rankiteo.com/company/comcast
"id": "COM1764611939",
"linkid": "comcast",
"type": "Ransomware",
"date": "7/2024",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization’s existence"{'affected_entities': [{'customers_affected': '237,703',
'industry': 'Media & Communications',
'location': 'United States',
'name': 'Comcast',
'size': 'Large (Fortune 50)',
'type': 'Telecommunications/ISP'},
{'customers_affected': None,
'industry': 'Financial Services',
'location': None,
'name': 'Financial Business and Consumer '
'Solutions (FBCS)',
'size': None,
'type': 'Third-Party Vendor (Debt '
'Collection)'},
{'customers_affected': None,
'industry': 'Healthcare',
'location': None,
'name': 'CF Medical/Capio',
'size': None,
'type': 'Affected Entity (via FBCS)'},
{'customers_affected': None,
'industry': 'Banking',
'location': None,
'name': 'Truist Bank',
'size': None,
'type': 'Affected Entity (via FBCS)'}],
'attack_vector': 'Third-Party Vendor (FBCS) Compromise',
'customer_advisories': '237,703 customers notified of data '
'exposure',
'data_breach': {'data_encryption': None,
'data_exfiltration': True,
'file_types_exposed': None,
'number_of_records_exposed': '237,703',
'personally_identifiable_information': True,
'sensitivity_of_data': 'High (SSNs included)',
'type_of_data_compromised': ['Personally '
'Identifiable '
'Information (PII)',
'Home addresses',
'Social Security '
'numbers']},
'date_detected': '2024-03-00',
'date_publicly_disclosed': '2024-10-00',
'description': "The FCC's Enforcement Bureau announced that "
'Comcast agreed to pay $1.5 million to resolve a '
'vendor data breach that exposed personal data '
'(including home addresses and Social Security '
'numbers) of over 237,000 current and former '
'customers. The breach occurred via a ransomware '
'attack on Financial Business and Consumer '
'Solutions (FBCS), a third-party debt collection '
'agency formerly used by Comcast. CF '
'Medical/Capio and Truist Bank were also impacted '
'by the same attack on FBCS. Comcast denied '
'responsibility but implemented a compliance plan '
'with enhanced vendor oversight and data '
'inventory practices.',
'impact': {'brand_reputation_impact': 'Potential reputational '
'harm due to exposure of '
'sensitive customer data',
'conversion_rate_impact': None,
'customer_complaints': None,
'data_compromised': ['Home addresses',
'Social Security numbers'],
'downtime': None,
'financial_loss': '$1.5 million (settlement)',
'identity_theft_risk': 'High (SSNs and addresses '
'exposed)',
'legal_liabilities': '$1.5 million FCC settlement',
'operational_impact': None,
'payment_information_risk': None,
'revenue_loss': None,
'systems_affected': None},
'initial_access_broker': {'backdoors_established': None,
'data_sold_on_dark_web': None,
'entry_point': None,
'high_value_targets': ['Comcast '
'customer PII',
'CF '
'Medical/Capio '
'data',
'Truist Bank '
'data'],
'reconnaissance_period': None},
'investigation_status': 'Resolved (FCC settlement reached)',
'lessons_learned': 'Importance of third-party vendor risk '
'management and real-time data inventory '
'tracking for PII shared with external '
'partners.',
'post_incident_analysis': {'corrective_actions': ['$1.5M FCC '
'settlement',
'Enhanced '
'vendor '
'oversight',
'Improved data '
'inventory '
'tracking'],
'root_causes': ['Inadequate '
'third-party vendor '
'security controls',
'Delayed breach '
'notification by FBCS '
'(March to July '
'2024)']},
'ransomware': {'data_encryption': None,
'data_exfiltration': True,
'ransom_demanded': None,
'ransom_paid': None,
'ransomware_strain': None},
'recommendations': ['Implement stricter vendor cybersecurity '
'audits',
'Enhance real-time monitoring of PII shared '
'with third parties',
'Develop incident response protocols for '
'vendor-originated breaches'],
'references': [{'date_accessed': '2024-10-00',
'source': 'FCC Enforcement Bureau Order (PDF)',
'url': None},
{'date_accessed': '2024-10-00',
'source': 'Reuters',
'url': None},
{'date_accessed': '2024-10-00',
'source': 'Light Reading',
'url': None}],
'regulatory_compliance': {'fines_imposed': '$1.5 million (FCC '
'settlement)',
'legal_actions': ['FCC Enforcement '
'Bureau order',
'Compliance plan '
'with vendor '
'oversight '
'requirements'],
'regulations_violated': None,
'regulatory_notifications': ['FCC',
'Affected '
'customers '
'(237,703)']},
'response': {'adaptive_behavioral_waf': None,
'communication_strategy': ['Customer notifications '
'(237,703 affected)',
'Public disclosure via '
'FCC order'],
'containment_measures': None,
'enhanced_monitoring': None,
'incident_response_plan_activated': True,
'law_enforcement_notified': None,
'network_segmentation': None,
'on_demand_scrubbing_services': None,
'recovery_measures': None,
'remediation_measures': ['Enhanced data inventory '
'program',
'Vendor oversight '
'practices for customer '
'privacy'],
'third_party_assistance': None},
'title': 'Comcast Vendor Data Breach Exposing 237,000+ Customer '
'Records',
'type': ['Data Breach', 'Ransomware Attack']}