Comcast will pay a $1.5 million fine to settle an FCC (Federal Communications Commission) investigation into a 2024 vendor data breach that exposed sensitive information belonging to more than 270,000 customers.
A Breach Originating Outside Comcast
The incident traces back to February 2024, when hackers infiltrated the systems of Financial Business and Consumer Solutions (FBCS) โ a debt collector firm Comcast had last worked with in 2022. Despite being a former vendor, FBCS still held sensitive customer records.
Although the breach initially appeared to affect fewer than 2 million people, the number eventually increased to more than 4 million by mid-2024. In July 2024, Comcast learned that data for 273,703 of its current and former customers had been compromised, despite FBCS previously assuring the company that no company data had been impacted โ a claim later proven untrue.
Before publicly disclosing the breach, FBCS had also filed for bankruptcy, which added to concerns around its data-handling practices.
What Was Exposed
Hackers stole a wide range of sensitive details between February 14 and February 26, including:
- Full names
- Addresses
- Dates of birth
- Social Security numbers
- Comcast account and internal ID numbers
Those affected were users of various Xfinity services, such as internet, TV, streaming, home security, and VoIP.
FCC Settlement Requires New Oversight
Under the settlement with the FCC on Monday, Comcast must adopt a multi-year compliance plan, including:
- Vendors must certify every two years that customer data they no longer need has been securely deleted or anonymized.
- A senior executive must oversee data protection and vendor compliance.
- Conducting risk assessments of vendors every two years.
- Comcast will file reports twice a year for three years and must disclose any violations within 30 days.
These requirements stem from the Cable Communications Policy Act of 1984, which mandates strong protections for subscriber data.
Comcast Denies Responsibility
Comcast said it โwas not responsibleโ for the incident, emphasizing that:
- FBCS alone suffered the breach
- Comcastโs own network remained secure
- FBCS was contractually required to meet security standards
The company added that it remains committed to strengthening its cybersecurity policies and protecting customer information to prevent similar incidents.
Third-Party Security Risks In Focus
The case highlights ongoing concerns around a growing list of high-profile hacks tied to outside contractors and service providers. As companies rely more heavily on third-party vendors, regulators underscore the need for stronger oversight of companies that handle sensitive customer information on behalf of large corporations.
