Comcast already faces at least two class action lawsuits over a massive data breach that exposed nearly 36 million U.S. Xfinity accounts after cyber attackers broke into its systems in mid-October, 2023, by exploiting a vulnerability in Citrix software.
The cable wing of Comcast does business as telecom Xfinity. The lawsuits filed in Pennsylvania federal court this month allege that unidentified hackers exploited a “critical-rated, unpatched security vulnerability,” according to classaction.org, which reported the filings.
One lawsuit contends that "Comcast admittedly failed to safeguard the sensitive personal identifying information of millions of its consumers or implement robust security measures to prevent this information from being stolen.” Another alleges that the Xfinity customers would not have bought the service had they known their data was at risk.
Under new Security and Exchange Commission (SEC) rules that went into effect on December 18, 2023, public companies experiencing a “material” breach are required within four days to report the incident plus other associated information. So far, according to a review of Comcast SEC filings, the company had not made any related filings with the regulatory watchdog as of December 22, 2023.
Comcast has not disclosed whether third-party forensics has been involved in the post-incident activities.
In a December 18 notice to customers, Xfinity said that the exposed information included usernames and “hashed” passwords, account names, contact information, birth dates, the last four digits of users’ social security numbers and secret questions and answers. It's not known if the customer information stolen by the hackers has been used for financial or other gain.
On October 10, 2023, Citrix said it had found a vulnerability in software used by Xfinity and thousands of other companies worldwide, which Xfinity subsequently patched and mitigated. But two weeks later Xfinity found that its systems had been breached between October 16 and October 19, 2023 specifically tied to the vulnerability.
At that point, Xfinity notified federal law enforcement and initiated an investigation into the range and extent of the activity. The company said its investigation is ongoing.
Xfinity said it discovered the “suspicious activity” on Oct. 25, and on December 6 concluded the nature and scope of the compromised data. Nearly three weeks earlier, on November 16, Xfinity determined that information was “likely acquired” after additional review of the affected systems and data.
Xfinity said that customers are being notified through a variety of channels, including through the Xfinity website, email, and news media.
The company is requiring customers to reset their passwords to protect affected accounts. In addition, Xfinity “strongly” recommended customers to enable two-factor or multi-factor authentication to secure their Xfinity account,
At this point no cyber crime group has claimed responsibility for the attack.
The Comcast hit is another in a series of security breaches that have struck the entertainment industry. In September MGM and Caesars were simultaneously addled by ransomware attacks that partially shut down the resorts activities. MGM said the breach would cost it come $100 million while Caesars ultimately paid $15 million in ransom to recover its return its systems to operational.