About A Quarter Million Comcast Subscribers Had Their Data Stolen From Debt Collector

Comcast says data on 237,703 of its customers was in fact stolen in a cyberattack on a debt collector it was using, contrary to previous assurances it was given that it was unaffected by that intrusion.

That collections agency, Financial Business and Consumer Solutions aka FBCS, was compromised in February, and according to a filing with Maine's attorney general, the firm informed the US cable giant about the unauthorized access in March. At the time, FBCS told the internet'n'telly provider that no Comcast customer information was affected.

However, that changed in July, when the collections outfit got in touch again to say that, actually, the Comcast subscriber data it held had been pilfered.

Among the data types stolen were names, addresses, Social Security numbers, dates of birth, and the Comcast account numbers and ID numbers used internally at FBCS. The data pertains to those registered as customers at "around 2021." Comcast stopped using FBCS for debt collection services in 2020.

Comcast made it clear its own systems, including those of its broadband unit Xfinity, were not broken into, unlike that time in 2023.

FBCS earlier said more than 4 million people had their records accessed during that February break-in.

As far as we're aware, the agency hasn't said publicly exactly how that network intrusion went down. Now Comcast is informing subscribers that their info was taken in that security breach, and in doing so seems to be the first to say the intrusion was a ransomware attack.

The unauthorized party downloaded data from FBCS systems and encrypted some systems as part of a ransomware attack

In a letter to affected customers, Comcast said FBCS had provided it the following information: "From February 14 and February 26, 2024, an unauthorized party gained access to FBCS's computer network and some of its computers. During this time, the unauthorized party downloaded data from FBCS systems and encrypted some systems as part of a ransomware attack.

"Upon discovering the attack on February 26, 2024, FBCS launched an investigation with the assistance of third-party cybersecurity specialists. In the course of that investigation, FBCS discovered that the files downloaded by the unauthorized party contained personal information, including personal information about you. FBCS also notified the Federal Bureau of Investigation (FBI) of this attack."

The Reg has asked FBCS to confirm the ransomware element. The FBI declined to comment.

FBCS's official statement only attributes the attack to an "unauthorized actor." It does not mention ransomware, nor many other technical details aside from the data types involved in the theft. No ransomware group we're aware of has ever claimed responsibility for the raid on FBCS.

When we asked Comcast about the ransomware, it simply referred us back to the customer notification letter.

The cableco used that notification to send another small middle finger FBCS's way, slyly revealing that the agency's financial situation prevents it from offering the usual identity and credit monitoring protection for those affected, so Comcast is having to foot the bill itself.

"FBCS notified Comcast that due to its current financial status, it would no longer able to provide notices or credit monitoring protection to individuals impacted by the incident," reads the letter to those affected. "As such, we are contacting you directly and providing support services."

We also asked FBCS to comment on this element of the notification. So far, the agency is staying silent.

Comcast sent letters to affected customers in August, though the notification was made public by the US state of Maine only this week.

CF Medical also filed a similar breach notification to Comcast's in late September, saying FBCS only discovered its customers were affected in July.

CF Medical is the trade name for Capio, another debt collection agency, which used to be a customer of FBCS. It stated that 626,396 of its customers were affected, though the letter did not mention ransomware nor FBCS's financial inability to offer credit monitoring services in the same way Comcast's letter did.

The Reg also asked FBCS whether it expects many more notifications to be made since it alerted former clients of affected data in July. ®

RECENT NEWS

From Chip War To Cloud War: The Next Frontier In Global Tech Competition

The global chip war, characterized by intense competition among nations and corporations for supremacy in semiconductor ... Read more

The High Stakes Of Tech Regulation: Security Risks And Market Dynamics

The influence of tech giants in the global economy continues to grow, raising crucial questions about how to balance sec... Read more

The Tyranny Of Instagram Interiors: Why It's Time To Break Free From Algorithm-Driven Aesthetics

Instagram has become a dominant force in shaping interior design trends, offering a seemingly endless stream of inspirat... Read more

The Data Crunch In AI: Strategies For Sustainability

Exploring solutions to the imminent exhaustion of internet data for AI training.As the artificial intelligence (AI) indu... Read more

Google Abandons Four-Year Effort To Remove Cookies From Chrome Browser

After four years of dedicated effort, Google has decided to abandon its plan to remove third-party cookies from its Chro... Read more

LinkedIn Embraces AI And Gamification To Drive User Engagement And Revenue

In an effort to tackle slowing revenue growth and enhance user engagement, LinkedIn is turning to artificial intelligenc... Read more