A Quarter Million Comcast Subscribers Had Data Stolen From Debt Collector

An anonymous reader quotes a report from The Register: Comcast says data on 237,703 of its customers was in fact stolen in a cyberattack on a debt collector it was using, contrary to previous assurances it was given that it was unaffected by that intrusion. That collections agency, Financial Business and Consumer Solutions aka FBCS, was compromised in February, and according to a filing with Maine's attorney general, the firm informed the US cable giant about the unauthorized access in March. At the time, FBCS told the internet'n'telly provider that no Comcast customer information was affected. However, that changed in July, when the collections outfit got in touch again to say that, actually, the Comcast subscriber data it held had been pilfered.

Among the data types stolen were names, addresses, Social Security numbers, dates of birth, and the Comcast account numbers and ID numbers used internally at FBCS. The data pertains to those registered as customers at "around 2021." Comcast stopped using FBCS for debt collection services in 2020. Comcast made it clear its own systems, including those of its broadband unit Xfinity, were not broken into, unlike that time in 2023. FBCS earlier said more than 4 million people had their records accessed during that February break-in. As far as we're aware, the agency hasn't said publicly exactly how that network intrusion went down. Now Comcast is informing subscribers that their info was taken in that security breach, and in doing so seems to be the first to say the intrusion was a ransomware attack. [...]

FBCS's official statement only attributes the attack to an "unauthorized actor." It does not mention ransomware, nor many other technical details aside from the data types involved in the theft. No ransomware group we're aware of has ever claimed responsibility for the raid on FBCS. When we asked Comcast about the ransomware, it simply referred us back to the customer notification letter. The cableco used that notification to send another small middle finger FBCS's way, slyly revealing that the agency's financial situation prevents it from offering the usual identity and credit monitoring protection for those affected, so Comcast is having to foot the bill itself.

Got a laugh out of me

[LondoMollari]

“Comcast made it clear its own systems, including those of its broadband unit Xfinity, were not broken into, unlike that time in 2023.“

LOL, especially this happened AFTER the breach in question!

Re:

[ls671]

Offer affected "bad" customers who went into debt collection to wave any amounts disputed. This should solve most cases.

WTF?

[Random361]

Why in the living fuck does a cable/satellite/broadband company even have your date of birth or social security number?

Re:

[bill_mcgonigle]

> company even have your date of birth or social security number?

The Control Grid exists to extract maximum wealth from the Working Class and to keep track of conscripts to be riddled with bullets in foreign wars of adventure.

So even if you leave town, unlike in the rest of Human history, you can't start over - you need DOB and SSN to buy or sell, rent, or get a job so the debt collectors and Draft Officers can find you.

Most people can't handle the misery of accepting this status quo because immortality

Re:

[Random361]

That sounds a lot like the Mark of the Beast to me. But, come to think of it, DirecTV (AT&T) probably has that shit on me. I guess when I cancel soon they're really going to want their ten year old shit (even then) equipment back. So they can throw it into a landfill and make their mark destroying the planet. I would do better harvesting some of the chips to do hobby projects. Maybe I'd make a new garage door opener...for myself or hook a binary counter and amplifier up to it for my several thousand clo

Re:

[ElimGarak000]

Why in the living fuck does a cable/satellite/broadband company even have your date of birth or social security number?

They wouldn't. The collector would, though.

The part I find interesting is that by the letter of the law, I'm not sure whether Comcast (as opposed to FBCS) is required to disclose this breach, since it was not a breach of a system they controlled. The fact that information was breached that they themselves did not possess in their own database seems relevant.

Re:

[DewDude]

Comcast, and most companies, require a credit check for services.

They collect your SSN to run the check as well as to have something to report against when they sell your debt.

Re:

[DewDude]

Credit checks. They will not give you service unless you pass a credit check because they claim they are leasing you equipment.

But remember that debt collectors collecting a debt gain a lot of additional rights. They can start to harass your family to collect. They can track you down.

The fact is, the information the debt agency has is far more comprehensive than the cable company.

Re: WTF?

[writeRight]

>> They will not give you service unless you pass a credit check

I got service, and their crappy gateway unit, without SSN and without birthday. I politely say 'no thank you', just like I did for natural gas service. Anyon can ask for your SSN and DNA and some people say 'no'. Other people love giving away privacy because it keeps them safe or something. It's the same with getting a USA passport - I have left the SSN field blank, and used all zeros, and used a random number for me and my family.

Re:

[Lehk228]

they require it to sign up, because a lot of deadbeats don't pay their bill

Why date of birth and SSN

[FeelGood314]

They have it because American's don't have a unique identifier. So companies have to collect a lot of immutable data about you so that they can uniquely identify you and so they can merge data from different sources into a single record about you. By not having a unique number we actually give up privacy. By forcing companies to use lots of essentially public data about a person to identify them companies are often forced to use this information as authorization by the individual, opening the individual

Re: Why date of birth and SSN

[writeRight]

No, there is no forcing. It's voluntary consent by the people to give way their info. Just say no.

Re:

[PPH]

Just say no.

Me: Now, may I please have service.
Comcast: No.

Me: But I'm a POC and don't have identification.
Comcast: No.

Me: Well, at least I can still vote.

Re: Why date of birth and SSN

[writeRight]

Was that a fictional interaction? I literally have Comcast service (and cell phone, and electric, and natural gas) without providing SSN or birth date.

made it clear its own systems were not broken into

[TheNameOfNick]

Comcast made it clear its own systems, including those of its broadband unit Xfinity, were not broken into

Irrelevant. Comcast gave them that data. It's Comcast's responsibility.

Re:

[DewDude]

No; because once they sold the debt to a collection agency; a whole new set of rules came in to play.

Just remember that comcast isn't allowed to call your family 20 times a day looking for you; that's harassment.

A debt collector can; and if the debtor is dead...they can and will go after the family.

If you think that's bad wait till it's a third-party handling a toll-booth error. That's a government debt so they have even less regulation.

Re:

[alvinrod]

Do they keep calling after the debt has been paid?

If you feel so bad for these people who have to suffer someone calling their phone you could always offer to pay off their debts so the calls stop. Most of them will take Pennie's on the dollar because the deadbeats they're trying to collect from are never going to pay.

Re:

[StormReaver]

...A debt collector can; and if the debtor is dead...they can and will go after the family.

No, a debt collector cannot. The Fair Debt Collection Practices Act explicitly forbids this kind of harassment.

 806. Harassment or abuse

A debt collector may not engage in any conduct the natural consequence of which is to harass, oppress, or abuse any person in connection with the collection of a debt.

On top of that, debts die with the debtor. If a debt cannot be collected within the debtor's lifetime, then the creditor is just out of luck. It's over. The debt goes *poof*.

Re: made it clear its own systems were not broken

[writeRight]

>> toll-booth error

I chuckle when I hear about people who put their name as the owner of their car. There is information on this information superhighway thingamajiggy about how to stop using your name for everything. But it's easier to spend our days in a doom scroll and then complain.

The managers, CEOs, of these companies need to...

[Dr_Ken]

...feel the heat about this before they will see the light and seriously address this problem. And I mean by "heat" harsher consequences than merely issuing an embarrassing press release and then offering their client victims a free year's sub to some credit watch firm. Not good enough. Fix this now or we'll have to release the lawyers on you.