Comcast Corporation

The **Medusa ransomware group** breached **Comcast Corporation**, a global media and technology company, in late September 2025, exfiltrating **834 GB of data**. The group leaked **186.36 GB of compressed data** (expanding to ~834 GB) on October 19, 2025, after Comcast refused to pay a **$1.2 million ransom**. The leaked files included sensitive records such as **Esur_rerating_verification.xlsx**, **Claim Data Specifications.xlsm**, and proprietary **Python/SQL scripts** related to auto premium analysis. The data was split into **47 files (45 x 4 GB + 1 x 2 GB)** and made available for purchase on the dark web.Comcast did not respond to inquiries, leaving the breach unconfirmed but highly credible given Medusa’s track record—including a prior **$4M ransomware attack on NASCAR** in April 2025. The group exploited the **GoAnywhere MFT vulnerability (CVE-2025-10035, CVSS 10.0)** for initial access. This incident follows Comcast’s **2023 Xfinity breach**, where a **Citrix vulnerability** exposed **35.9 million user accounts**. The leaked data’s scale and sensitivity suggest severe operational, financial, and reputational risks for Comcast, with potential regulatory and customer trust repercussions.

Source: https://hackread.com/medusa-ransomware-comcast-data-leak/

TPRM report: https://www.rankiteo.com/company/comcast

"id": "com5935559102325",
"linkid": "comcast",
"type": "Ransomware",
"date": "6/2023",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"

{'affected_entities': [{'industry': ['media',
                                     'technology',
                                     'telecommunications'],
                        'location': 'Philadelphia, Pennsylvania, U.S.',
                        'name': 'Comcast Corporation',
                        'size': 'large (Fortune 500)',
                        'type': 'public company'}],
 'attack_vector': ['exploitation of GoAnywhere MFT vulnerability '
                   '(CVE-2025-10035)',
                   'unauthenticated remote code execution'],
 'data_breach': {'data_exfiltration': '834 GB (decompressed from 186.36 GB '
                                      'compressed)',
                 'file_types_exposed': ['.xlsx', '.xlsm', '.py', '.sql'],
                 'sensitivity_of_data': 'high (internal corporate and '
                                        'operational data)',
                 'type_of_data_compromised': ['corporate documents',
                                              'Excel spreadsheets (e.g., '
                                              'Esur_rerating_verification.xlsx, '
                                              'Claim Data Specifications.xlsm)',
                                              'Python scripts',
                                              'SQL scripts',
                                              'auto premium impact analysis '
                                              'data']},
 'date_detected': '2025-09-late',
 'date_publicly_disclosed': '2025-09-26',
 'description': 'The Medusa ransomware group leaked 186.36 GB of compressed '
                'data (834 GB decompressed) allegedly stolen from Comcast '
                'Corporation in late September 2025. The group initially '
                'demanded $1.2 million from Comcast to delete the data instead '
                'of leaking or selling it. The leaked data includes files such '
                "as 'Esur_rerating_verification.xlsx', 'Claim Data "
                "Specifications.xlsm', and Python/SQL scripts related to auto "
                'premium impact analysis. The data was released in 47 split '
                'files (45 files at 4 GB each and 1 file at 2 GB) on October '
                '19, 2025. Comcast did not respond to requests for comment.',
 'impact': {'brand_reputation_impact': 'high (public leak of sensitive '
                                       'corporate data)',
            'data_compromised': ['834 GB (decompressed)',
                                 'files including '
                                 'Esur_rerating_verification.xlsx, Claim Data '
                                 'Specifications.xlsm, Python/SQL scripts']},
 'initial_access_broker': {'data_sold_on_dark_web': '186.36 GB (compressed) / '
                                                    '834 GB (decompressed) '
                                                    'offered for $1.2 million',
                           'entry_point': 'exploitation of GoAnywhere MFT '
                                          'vulnerability (CVE-2025-10035)',
                           'high_value_targets': ['corporate data',
                                                  'operational scripts']},
 'investigation_status': 'ongoing (no official confirmation or denial from '
                         'Comcast)',
 'motivation': ['financial gain', 'extortion'],
 'post_incident_analysis': {'root_causes': ['unpatched vulnerability '
                                            '(CVE-2025-10035)',
                                            'lack of timely response to '
                                            'exploit warnings']},
 'ransomware': {'data_exfiltration': '834 GB',
                'ransom_demanded': '$1.2 million (for data deletion)',
                'ransomware_strain': 'Medusa'},
 'references': [{'date_accessed': '2025-10-19', 'source': 'Hackread.com'},
                {'date_accessed': '2025-10-early',
                 'source': 'Microsoft Security Advisory (CVE-2025-10035)'}],
 'response': {'communication_strategy': 'no public response or '
                                        'acknowledgement'},
 'threat_actor': 'Medusa ransomware group',
 'title': 'Medusa Ransomware Attack on Comcast Corporation',
 'type': ['data breach', 'ransomware attack'],
 'vulnerability_exploited': 'CVE-2025-10035 (GoAnywhere MFT, CVSS 10.0)'}