More than 200,000 Comcast customers’ personal information was exposed to hackers after a data breach at a third-party debt collection company, according to a notice filed with the Maine attorney general’s office.
The breach occurred in February and affected 237,000 customers, according to the company. It happened after a ransomware attack on Financial Business and Consumer Solutions (FBCS), a former Comcast partner, which first discovered the breach in March.
According to an Aug. 16 notice to customers, Comcast said they were notified by FBCS in March that it had experienced the data breach incident but was initially told Comcast consumer data was not impacted.
The breach occurred between Feb. 14 and Feb. 26 after an unauthorized third party gained access to FBCS’s computer network and some of its computers, downloading data from their system and encrypting some systems in a ransomware attack, according to Comcast.
After further investigation by FBCS and by third-party cybersecurity specialists, investigators found Comcast data stored by the company had been breached.
The information included customers name, address, Social Security number, date of birth, and Comcast account numbers, and internal ID numbers used with FCBS. The two companies parted ties in 2020 after FBCS previously provided collections-related services for Comcast customers who didn’t pay their bill, Comcast told customers in the recent notice.
Although the two ended business relations in 2020, the compromised information dates from around 2021 as FBCS still was given access via retention requirements that allowed for such, the global media giant said.
They said the breach was entirely at FBCS and not at all within Xfinity or Comcast systems. But because of FBCS’s financial position, which prevents them from offering credit monitoring or identity protection services, Comcast decided to take responsibility.
“As such, we are contacting you directly and providing support services,” they said in the notice.
Affected customers are being offered 12 months of identity protection services through CyEx Identity Defense Complete, which includes credit monitoring.
The company also encouraged all customers to review their account statements, free credit reports, sign up for two-step verification, and to watch out for fraudulent emails or phone calls.
According to a Comcast spokesperson, the recent filing with Maine’s attorney general was a safety precaution.
They said initially FBCS was committed to notifying state AGs of the breach but the partner soon went bankrupt after filing a new notice in July, and it wasn’t clear if Comcast’s customer data was covered by the filing.
“We felt it was important and the responsible thing to do was to file ourselves and have also taken on the obligation to provide credit monitoring for our customers (for one year),” Comcast Corporate Communications spokesperson Joe Shadle told NTD News in an email.
In total, four million customers were affected by the data breach, including customers of Truist Bank and CF Medical, with as many as 35 companies affected based on filings, according to Shadle.