Comcast has revealed that data belonging to 237,703 of its customers was stolen in a cyberattack targeting a debt collection agency it previously employed, contradicting earlier assurances that its customers were unaffected. The collections agency, Financial Business and Consumer Solutions (FBCS), was breached in February, and while FBCS initially told Comcast in March that no customer information had been compromised, this changed in July when FBCS informed Comcast that subscriber data had indeed been stolen.
The stolen data includes names, addresses, Social Security numbers, dates of birth, and Comcast account and ID numbers used internally by FBCS. The affected customers were those registered with Comcast “around 2021,” even though Comcast had stopped using FBCS for debt collection services in 2020.
Comcast clarified that its own systems, including those of its broadband unit Xfinity, were not breached, unlike a previous incident in 2023. FBCS had earlier disclosed that over 4 million individuals had their records accessed during the February cyberattack.
While the collections agency has yet to publicly detail how the intrusion occurred, Comcast is now notifying affected subscribers that their information was stolen in the security breach. In doing so, Comcast appears to be the first to confirm that the intrusion was, in fact, a ransomware attack.
In a letter to affected customers, Comcast shared details provided by FBCS about the cyberattack: “Between February 14 and February 26, 2024, an unauthorized party accessed FBCS’s computer network and several systems. During this period, they downloaded data and encrypted some systems as part of a ransomware attack.
“FBCS discovered the attack on February 26, 2024, and launched an investigation with help from third-party cybersecurity experts. During the investigation, they determined that the downloaded files contained personal information, including details about you. FBCS also notified the FBI about the incident.”
While *The Register* has sought confirmation from FBCS about the ransomware aspect, FBCS’s official statement only attributes the breach to an “unauthorized actor” without explicitly mentioning ransomware or other technical specifics. No known ransomware group has claimed responsibility for the attack on FBCS. The FBI declined to comment.
When *The Register* inquired further, Comcast simply referred to its customer notification letter, which also subtly criticized FBCS. Due to FBCS’s financial situation, it cannot offer identity or credit monitoring services to affected individuals, so Comcast is covering these costs itself.
“FBCS notified Comcast that, due to its current financial status, it would no longer be able to provide notices or credit monitoring protection to individuals impacted by the incident,” reads Comcast’s letter to affected customers. “As such, we are contacting you directly and providing support services.”
FBCS has yet to comment on this aspect of the situation. Comcast began sending letters to affected customers in August, though the breach notification was only made public by the state of Maine this week.
In a similar move, CF Medical, operating under the trade name Capio, a former client of FBCS, filed a breach notification in late September. CF Medical reported that 626,396 of its customers were affected by the FBCS incident, but its letter did not mention ransomware or FBCS’s financial inability to offer credit monitoring services, as Comcast’s letter did.