Comcast says data on 237,703 of its customers was in fact stolen in a cyberattack on a debt collector it was using, contrary to previous assurances it was given that it was unaffected by that intrusion.
That collections agency, Financial Business and Consumer Solutions aka FBCS, was compromised in February, and according to a filing with Maine's attorney general, the firm informed the US cable giant about the unauthorized access in March. At the time, FBCS told the internet'n'telly provider that no Comcast customer information was affected.
However, that changed in July, when the collections outfit got in touch again to say that, actually, the Comcast subscriber data it held had been pilfered.
Among the data types stolen were names, addresses, Social Security numbers, dates of birth, and the Comcast account numbers and ID numbers used internally at FBCS. The data pertains to those registered as customers at "around 2021." Comcast stopped using FBCS for debt collection services in 2020.
Comcast made it clear its own systems, including those of its broadband unit Xfinity, were not broken into, unlike that time in 2023.
FBCS earlier said more than 4 million people had their records accessed during that February break-in.
As far as we're aware, the agency hasn't said publicly exactly how that network intrusion went down. Now Comcast is informing subscribers that their info was taken in that security breach, and in doing so seems to be the first to say the intrusion was a ransomware attack.
The unauthorized party downloaded data from FBCS systems and encrypted some systems as part of a ransomware attack
In a letter to affected customers, Comcast said FBCS had provided it the following information: "From February 14 and February 26, 2024, an unauthorized party gained access to FBCS's computer network and some of its computers. During this time, the unauthorized party downloaded data from FBCS systems and encrypted some systems as part of a ransomware attack.
"Upon discovering the attack on February 26, 2024, FBCS launched an investigation with the assistance of third-party cybersecurity specialists. In the course of that investigation, FBCS discovered that the files downloaded by the unauthorized party contained personal information, including personal information about you. FBCS also notified the Federal Bureau of Investigation (FBI) of this attack."
The Reg has asked FBCS to confirm the ransomware element. The FBI declined to comment.
FBCS's official statement only attributes the attack to an "unauthorized actor." It does not mention ransomware, nor many other technical details aside from the data types involved in the theft. No ransomware group we're aware of has ever claimed responsibility for the raid on FBCS.
When we asked Comcast about the ransomware, it simply referred us back to the customer notification letter.
The cableco used that notification to send another small middle finger FBCS's way, slyly revealing that the agency's financial situation prevents it from offering the usual identity and credit monitoring protection for those affected, so Comcast is having to foot the bill itself.
- Sensitive data on 61K+ patients accessed in Alabama hospital cyberattack
- Australian e-tailer digiDirect customers' info allegedly stolen and dumped online
- T-Mobile US to cough up $31.5M after that long string of security SNAFUs
- Public Wi-Fi operator investigating cyberattack at UK's busiest train stations
"FBCS notified Comcast that due to its current financial status, it would no longer able to provide notices or credit monitoring protection to individuals impacted by the incident," reads the letter to those affected. "As such, we are contacting you directly and providing support services."
We also asked FBCS to comment on this element of the notification. So far, the agency is staying silent.
Comcast sent letters to affected customers in August, though the notification was made public by the US state of Maine only this week.
CF Medical also filed a similar breach notification to Comcast's in late September, saying FBCS only discovered its customers were affected in July.
CF Medical is the trade name for Capio, another debt collection agency, which used to be a customer of FBCS. It stated that 626,396 of its customers were affected, though the letter did not mention ransomware nor FBCS's financial inability to offer credit monitoring services in the same way Comcast's letter did.
The Reg also asked FBCS whether it expects many more notifications to be made since it alerted former clients of affected data in July. ®