- More than 237K Comcast customers had their personal data stolen by hackers in February
- The ransomware attack occurred not on Comcast's network but via a debt collection agency the operator stopped using in 2020
- The breach highlights the growing security risk enterprises face in using third-party vendors
Personal data from telecom customers has once again been snatched by hackers. A data breach earlier this year impacted 237,703 Comcast customers, the operator recently disclosed. The incident highlights a growing risk operators face from attacks on their third-party vendors.
The breach, which occurred on February 14 and was discovered on July 17, didn’t take place on Xfinity or Comcast's systems but at Financial Business and Consumer Solutions (FBCS), a debt-collection agency Comcast previously used. Comcast customers were notified about the breach on August 16, according to a filing with Maine’s attorney general.
A letter to Comcast customers stated between February 14 and February 26, an “unauthorized party downloaded data from FBCS systems and encrypted some systems as part of a ransomware attack.”
Hackers downloaded personal information such as names, addresses, Social Security numbers, dates of birth, Comcast account numbers and ID numbers used internally at FBCS.
FBCS initially informed Comcast in March that the breach involved no Comcast customer data, but notified the operator again in July that its customer data was, in fact, compromised. Comcast said it stopped using FBCS for debt collection in 2020 and the stolen personal data “dates from around 2021.” Unfortunately for customers, Social Security numbers and birthdays don't exactly change with time.
Akhil Mittal, senior manager of cybersecurity strategy and solutions at Black Duck, said this data breach highlights “a growing trend in cybersecurity” of the risks companies face using third-party vendors.
“While organizations are getting better at securing their own systems, they also need to think about the partners they work [with] and rely on,” he said.
According to Verizon’s latest Data Breach Investigations report, 15% of data breaches in 2023 involved a third-party. Third parties included data custodians and breaches tended to relate to software vulnerabilities or direct or indirect supply chain issues.
"Organizations and their partners must collaborate to create a secure and transparent ecosystem," said Mittal. "Customers should ask for more transparency about how their data is handled, and organizations should prioritize vendor assessments as much as their own defenses.”
If you’re a Comcast customer, “the best thing to do right now” is to update your passwords, “monitor your credit” and “set up fraud alerts,” he added.
Incidents like this ransomware attack are “testament to the growing risk of having custodianship of customer personal data even beyond Personal Identifiable Information,” neXt Curve Analyst Leonard Lee told Fierce.
“It is likely things will get worse and the risks and liabilities for data brokers greater,” Lee said.
Comcast last year revealed 36 million customer IDs were compromised by a security breach that stemmed from a vulnerability called “CitrixBleed,” which impacted other major companies like Boeing and Toyota.
Frontier faced similar troubles in April with a breach that stole data from more than 750,000 of its customers.