The US Federal Communications Commission (FCC) has reached a $1.5 million settlement with Comcast Cable Communications following a data breach at a third-party vendor that exposed sensitive data of over 237,000 Comcast subscribers.
The breach stemmed from a February 2024 security incident at debt collector Financial Business and Consumer Solutions, Inc. (FBCS), a former Comcast contractor.
Comcast is one of the largest cable and broadband service providers in the United States, operating under the Xfinity brand. It serves tens of millions of residential and business customers through its offerings in internet, TV, streaming, mobile, and home security services.
The settlement resolves the agency's investigation into whether Comcast violated federal cable privacy laws, specifically sections 631(c) and (e) of the Cable Communications Policy Act of 1984. These provisions require cable providers to safeguard subscribers' personally identifiable information (PII) and to destroy it when no longer needed.
FBCS, a New Jersey-based debt collection agency, had previously been contracted by Comcast from 2010 to 2022 to handle delinquent accounts. During this period, Comcast shared customer PII with FBCS for debt recovery purposes. Although Comcast terminated its relationship with FBCS in 2020 and fully ended operations with them by 2022, sensitive subscriber data remained on FBCS systems.
In February 2024, FBCS experienced a cyberattack that compromised its network between February 14 and 26. The incident exposed full names, addresses, Social Security numbers, birthdates, Comcast account numbers, and internal identifiers of 237,702 current and former Comcast customers, including many who subscribed to Comcast's cable TV services.
FBCS notified Comcast of the breach in July 2024 but did not notify affected individuals or state authorities. The firm later filed for bankruptcy, forcing Comcast to assume the responsibility for breach disclosures and regulatory reporting.
This development followed a broader breach incident disclosed in April 2024, where FBCS reported that the same attack had impacted nearly 2 million individuals from various client organizations, not just Comcast.
As part of the Consent Decree, Comcast agreed to pay a $1.5 million voluntary contribution to the US Treasury and also implement a wide-ranging compliance program focused on subscriber data protection. Additionally, the firm will establish a formal Vendor Management Program to oversee how third parties handle sensitive customer information.
Comcast must also submit detailed compliance reports to the FCC over the next three years and designate a senior compliance officer to oversee the program's execution.
Leave a Reply