A Quarter Million Comcast Subscribers Had Data Stolen From Debt Collector (theregister.com) 24
An anonymous reader quotes a report from The Register: Comcast says data on 237,703 of its customers was in fact stolen in a cyberattack on a debt collector it was using, contrary to previous assurances it was given that it was unaffected by that intrusion. That collections agency, Financial Business and Consumer Solutions aka FBCS, was compromised in February, and according to a filing with Maine's attorney general, the firm informed the US cable giant about the unauthorized access in March. At the time, FBCS told the internet'n'telly provider that no Comcast customer information was affected. However, that changed in July, when the collections outfit got in touch again to say that, actually, the Comcast subscriber data it held had been pilfered.
Among the data types stolen were names, addresses, Social Security numbers, dates of birth, and the Comcast account numbers and ID numbers used internally at FBCS. The data pertains to those registered as customers at "around 2021." Comcast stopped using FBCS for debt collection services in 2020. Comcast made it clear its own systems, including those of its broadband unit Xfinity, were not broken into, unlike that time in 2023. FBCS earlier said more than 4 million people had their records accessed during that February break-in. As far as we're aware, the agency hasn't said publicly exactly how that network intrusion went down. Now Comcast is informing subscribers that their info was taken in that security breach, and in doing so seems to be the first to say the intrusion was a ransomware attack. [...]
FBCS's official statement only attributes the attack to an "unauthorized actor." It does not mention ransomware, nor many other technical details aside from the data types involved in the theft. No ransomware group we're aware of has ever claimed responsibility for the raid on FBCS. When we asked Comcast about the ransomware, it simply referred us back to the customer notification letter. The cableco used that notification to send another small middle finger FBCS's way, slyly revealing that the agency's financial situation prevents it from offering the usual identity and credit monitoring protection for those affected, so Comcast is having to foot the bill itself.
Among the data types stolen were names, addresses, Social Security numbers, dates of birth, and the Comcast account numbers and ID numbers used internally at FBCS. The data pertains to those registered as customers at "around 2021." Comcast stopped using FBCS for debt collection services in 2020. Comcast made it clear its own systems, including those of its broadband unit Xfinity, were not broken into, unlike that time in 2023. FBCS earlier said more than 4 million people had their records accessed during that February break-in. As far as we're aware, the agency hasn't said publicly exactly how that network intrusion went down. Now Comcast is informing subscribers that their info was taken in that security breach, and in doing so seems to be the first to say the intrusion was a ransomware attack. [...]
FBCS's official statement only attributes the attack to an "unauthorized actor." It does not mention ransomware, nor many other technical details aside from the data types involved in the theft. No ransomware group we're aware of has ever claimed responsibility for the raid on FBCS. When we asked Comcast about the ransomware, it simply referred us back to the customer notification letter. The cableco used that notification to send another small middle finger FBCS's way, slyly revealing that the agency's financial situation prevents it from offering the usual identity and credit monitoring protection for those affected, so Comcast is having to foot the bill itself.
Got a laugh out of me (Score:2)
“Comcast made it clear its own systems, including those of its broadband unit Xfinity, were not broken into, unlike that time in 2023.“
LOL, especially this happened AFTER the breach in question!
Re: (Score:3)
Offer affected "bad" customers who went into debt collection to wave any amounts disputed. This should solve most cases.
WTF? (Score:2)
Re: (Score:2)
> company even have your date of birth or social security number?
The Control Grid exists to extract maximum wealth from the Working Class and to keep track of conscripts to be riddled with bullets in foreign wars of adventure.
So even if you leave town, unlike in the rest of Human history, you can't start over - you need DOB and SSN to buy or sell, rent, or get a job so the debt collectors and Draft Officers can find you.
Most people can't handle the misery of accepting this status quo because immortality
Re: (Score:2)
Re: (Score:2)
Why in the living fuck does a cable/satellite/broadband company even have your date of birth or social security number?
They wouldn't. The collector would, though.
The part I find interesting is that by the letter of the law, I'm not sure whether Comcast (as opposed to FBCS) is required to disclose this breach, since it was not a breach of a system they controlled. The fact that information was breached that they themselves did not possess in their own database seems relevant.
Re: (Score:2)
Comcast, and most companies, require a credit check for services.
They collect your SSN to run the check as well as to have something to report against when they sell your debt.
Re: (Score:2)
Credit checks. They will not give you service unless you pass a credit check because they claim they are leasing you equipment.
But remember that debt collectors collecting a debt gain a lot of additional rights. They can start to harass your family to collect. They can track you down.
The fact is, the information the debt agency has is far more comprehensive than the cable company.
Re: WTF? (Score:1)
I got service, and their crappy gateway unit, without SSN and without birthday. I politely say 'no thank you', just like I did for natural gas service. Anyon can ask for your SSN and DNA and some people say 'no'. Other people love giving away privacy because it keeps them safe or something. It's the same with getting a USA passport - I have left the SSN field blank, and used all zeros, and used a random number for me and my family.
Re: (Score:2)
Re: (Score:2)
Why date of birth and SSN (Score:2)
Re: Why date of birth and SSN (Score:1)
Re: (Score:2)
Just say no.
Me: Now, may I please have service.
Comcast: No.
Me: But I'm a POC and don't have identification.
Comcast: No.
Me: Well, at least I can still vote.
Re: Why date of birth and SSN (Score:1)
made it clear its own systems were not broken into (Score:2)
Comcast made it clear its own systems, including those of its broadband unit Xfinity, were not broken into
Irrelevant. Comcast gave them that data. It's Comcast's responsibility.
Re: (Score:2)
No; because once they sold the debt to a collection agency; a whole new set of rules came in to play.
Just remember that comcast isn't allowed to call your family 20 times a day looking for you; that's harassment.
A debt collector can; and if the debtor is dead...they can and will go after the family.
If you think that's bad wait till it's a third-party handling a toll-booth error. That's a government debt so they have even less regulation.
Re: (Score:2)
If you feel so bad for these people who have to suffer someone calling their phone you could always offer to pay off their debts so the calls stop. Most of them will take Pennie's on the dollar because the deadbeats they're trying to collect from are never going to pay.
Re: (Score:3)
...A debt collector can; and if the debtor is dead...they can and will go after the family.
No, a debt collector cannot. The Fair Debt Collection Practices Act explicitly forbids this kind of harassment.
 806. Harassment or abuse
A debt collector may not engage in any conduct the natural consequence of which is to harass, oppress, or abuse any person in connection with the collection of a debt.
On top of that, debts die with the debtor. If a debt cannot be collected within the debtor's lifetime, then the creditor is just out of luck. It's over. The debt goes *poof*.
Re: made it clear its own systems were not broken (Score:1)
I chuckle when I hear about people who put their name as the owner of their car. There is information on this information superhighway thingamajiggy about how to stop using your name for everything. But it's easier to spend our days in a doom scroll and then complain.
The managers, CEOs, of these companies need to... (Score:2)
Liability (Score:2)