Comcast Confirms 237,000 Victims Affected by Major Breach Report • The Registry

Comcast says data on 237,703 of its customers was in fact stolen in a cyberattack on a collection agency it used, contrary to earlier assurances that the company was unaffected by that breach.

That collection agency, Financial Business and Consumer Solutions, or FBCS, was compromised in February and, according to a filing with the Maine attorney general, the company informed the U.S. cable giant about the unauthorized access in March. At the time, FBCS told the internet and television provider that no Comcast customer data had been compromised.

That changed in July, however, when the collection agency reached out again to say that the Comcast subscriber data it held had in fact been stolen.

Among the data types stolen were names, addresses, Social Security numbers, dates of birth, and the Comcast account numbers and ID numbers used internally at FBCS. The data relates to those who registered as customers ‘around 2021’. Comcast stopped using FBCS for collection services in 2020.

Comcast made it clear that its own systems, including those of its Xfinity broadband unit, had not been breached, unlike that time in 2023.

FBCS previously said that the data of more than 4 million people was accessed during the February breach.

As far as we know, the agency has not publicly said how exactly that network intrusion occurred. Now Comcast is informing its subscribers that their data was stolen in the security breach, appearing to be the first to say the intrusion was a ransomware attack.

The unauthorized party downloaded data from FBCS systems and encrypted some systems as part of a ransomware attack

In a letter to affected customers, Comcast said FBCS provided it with the following information: “Beginning February 14 and February 26, 2024, an unauthorized party gained access to FBCS’s computer network and some of its computers. During this time, the unauthorized party downloaded data from FBCS systems and encrypted some systems as part of a ransomware attack.

“When FBCS discovered the attack on February 26, 2024, FBCS launched an investigation with the assistance of external cybersecurity specialists. During the course of that investigation, FBCS discovered that the files downloaded by the unauthorized party contained personal information, including personal information about you. FBCS also notified the Federal Bureau of Investigation (FBI) of this attack.

The Reg asked FBCS to confirm the ransomware element. The FBI declined to comment.

FBCS’s official statement only attributes the attack to an “unauthorized actor.” There is no mention of ransomware, nor many other technical details beyond the data types involved in the theft. To our knowledge, no ransomware group has ever claimed responsibility for the attack on FBCS.

When we asked Comcast about the ransomware, the company simply referred us back to the customer notification letter.

The cable company used that notification to send another little middle finger to FBCS, slyly revealing that the agency’s financial situation prevents it from providing the usual identity and credit monitoring protections to those affected, leaving Comcast to foot the bill itself.

“FBCS has informed Comcast that due to its current financial status, it would no longer be able to provide notifications or credit monitoring protections to individuals affected by the incident,” the letter to those affected reads. “As such, we will contact you directly and provide support services.”

We have also asked FBCS to comment on this part of the notice. So far the agency has been silent.

Comcast sent letters to affected customers in August, although the notice was only made public this week by the US state of Maine.

CF Medical also filed a similar breach notice with Comcast in late September, saying FBCS only discovered its customers were affected in July.

CF Medical is the trade name of Capio, another collection agency that was previously a customer of FBCS. It stated that 626,396 of its customers were affected, although the letter did not mention ransomware nor FBCS’s financial inability to provide credit monitoring services in the same manner as Comcast’s letter.

The Reg FBCS also asked whether it expects many more notifications to follow since it notified former customers of the affected data in July. ®