A Quarter Million Comcast Subscribers Had Data Stolen From Debt Collector (theregister.com) 38
An anonymous reader quotes a report from The Register: Comcast says data on 237,703 of its customers was in fact stolen in a cyberattack on a debt collector it was using, contrary to previous assurances it was given that it was unaffected by that intrusion. That collections agency, Financial Business and Consumer Solutions aka FBCS, was compromised in February, and according to a filing with Maine's attorney general, the firm informed the US cable giant about the unauthorized access in March. At the time, FBCS told the internet'n'telly provider that no Comcast customer information was affected. However, that changed in July, when the collections outfit got in touch again to say that, actually, the Comcast subscriber data it held had been pilfered.
Among the data types stolen were names, addresses, Social Security numbers, dates of birth, and the Comcast account numbers and ID numbers used internally at FBCS. The data pertains to those registered as customers at "around 2021." Comcast stopped using FBCS for debt collection services in 2020. Comcast made it clear its own systems, including those of its broadband unit Xfinity, were not broken into, unlike that time in 2023. FBCS earlier said more than 4 million people had their records accessed during that February break-in. As far as we're aware, the agency hasn't said publicly exactly how that network intrusion went down. Now Comcast is informing subscribers that their info was taken in that security breach, and in doing so seems to be the first to say the intrusion was a ransomware attack. [...]
FBCS's official statement only attributes the attack to an "unauthorized actor." It does not mention ransomware, nor many other technical details aside from the data types involved in the theft. No ransomware group we're aware of has ever claimed responsibility for the raid on FBCS. When we asked Comcast about the ransomware, it simply referred us back to the customer notification letter. The cableco used that notification to send another small middle finger FBCS's way, slyly revealing that the agency's financial situation prevents it from offering the usual identity and credit monitoring protection for those affected, so Comcast is having to foot the bill itself.
Among the data types stolen were names, addresses, Social Security numbers, dates of birth, and the Comcast account numbers and ID numbers used internally at FBCS. The data pertains to those registered as customers at "around 2021." Comcast stopped using FBCS for debt collection services in 2020. Comcast made it clear its own systems, including those of its broadband unit Xfinity, were not broken into, unlike that time in 2023. FBCS earlier said more than 4 million people had their records accessed during that February break-in. As far as we're aware, the agency hasn't said publicly exactly how that network intrusion went down. Now Comcast is informing subscribers that their info was taken in that security breach, and in doing so seems to be the first to say the intrusion was a ransomware attack. [...]
FBCS's official statement only attributes the attack to an "unauthorized actor." It does not mention ransomware, nor many other technical details aside from the data types involved in the theft. No ransomware group we're aware of has ever claimed responsibility for the raid on FBCS. When we asked Comcast about the ransomware, it simply referred us back to the customer notification letter. The cableco used that notification to send another small middle finger FBCS's way, slyly revealing that the agency's financial situation prevents it from offering the usual identity and credit monitoring protection for those affected, so Comcast is having to foot the bill itself.
Got a laugh out of me (Score:2)
“Comcast made it clear its own systems, including those of its broadband unit Xfinity, were not broken into, unlike that time in 2023.“
LOL, especially this happened AFTER the breach in question!
Re: (Score:3)
Offer affected "bad" customers who went into debt collection to wave any amounts disputed. This should solve most cases.
WTF? (Score:4)
Re: (Score:3)
> company even have your date of birth or social security number?
The Control Grid exists to extract maximum wealth from the Working Class and to keep track of conscripts to be riddled with bullets in foreign wars of adventure.
So even if you leave town, unlike in the rest of Human history, you can't start over - you need DOB and SSN to buy or sell, rent, or get a job so the debt collectors and Draft Officers can find you.
Most people can't handle the misery of accepting this status quo because immortality
Re: (Score:2)
Re: (Score:3)
Re: (Score:3)
Why in the living fuck does a cable/satellite/broadband company even have your date of birth or social security number?
They wouldn't. The collector would, though.
The part I find interesting is that by the letter of the law, I'm not sure whether Comcast (as opposed to FBCS) is required to disclose this breach, since it was not a breach of a system they controlled. The fact that information was breached that they themselves did not possess in their own database seems relevant.
Re: (Score:3)
Comcast, and most companies, require a credit check for services.
They collect your SSN to run the check as well as to have something to report against when they sell your debt.
Re: (Score:2)
Credit checks. They will not give you service unless you pass a credit check because they claim they are leasing you equipment.
But remember that debt collectors collecting a debt gain a lot of additional rights. They can start to harass your family to collect. They can track you down.
The fact is, the information the debt agency has is far more comprehensive than the cable company.
Re: WTF? (Score:3, Insightful)
I got service, and their crappy gateway unit, without SSN and without birthday. I politely say 'no thank you', just like I did for natural gas service. Anyon can ask for your SSN and DNA and some people say 'no'. Other people love giving away privacy because it keeps them safe or something. It's the same with getting a USA passport - I have left the SSN field blank, and used all zeros, and used a random number for me and my family.
Re: (Score:3)
Re: (Score:3)
They can probably just get your SSN from a third party and add it to their internal records. It's not like it's a secret.
You're given that illusion by them (for example) covering it up with asterisks on the paperwork you're given, while their other hand is selling it out the back door.
If someone could go through life without ever having to provide their SSN anywhere, it wouldn't be valuable. You've given it to your employers, banks, insurance, and medical providers at a minimum. From there it gets spread th
Re: (Score:2)
Re: (Score:2)
Why date of birth and SSN (Score:2)
Re: Why date of birth and SSN (Score:1)
Re: (Score:2)
Just say no.
Me: Now, may I please have service.
Comcast: No.
Me: But I'm a POC and don't have identification.
Comcast: No.
Me: Well, at least I can still vote.
Re: Why date of birth and SSN (Score:1)
Re: (Score:2)
without providing SSN or birth date
Do you pay them with cash?* If not, they probably already have all that.
*Bitcoin might work as well.
Re: (Score:2)
... don't have a unique identifier.
The point of government-issued numbers (SSN, passport, taxation, license) is to quickly identify a person. I find it impossible to believe that SSN & DoB don't provide a unique number. That means no business needs extra details.
The problem is the opposite of what you say: SSN and DoB of a person is easy to acquire, because someone already has it. Thus, businesses need more and more numbers to prove they're dealing with the real owner of that SSN.
The US has already mandated an answer to that prob
Re: (Score:2)
Strictly speaking, they're not about identifying a person, Those numbers are used to conveniently look up a person's files after confirming their identity. (The physical passport or license is another matter. Those are forms of identification - something you have, as well as containing information on some things you are.)
The rest of your post is informative.
Re: (Score:2)
Why in the living fuck does a cable/satellite/broadband company even have your date of birth or social security number?
Ironically, for fraud prevention.
Getting a contract is essentially getting credit, I.E. an unsecured loan, just for services not yet rendered, so they need to ensure that those applying are who they claim to be. Also that they're not minors who are not legally permitted to sign up to such a contract... Especially with the hate boner the religious right has with anyone under 18... or anyone really, potentially seeing... ahem... gentlemen's special interest literature.
This is why the US needs a GDPR sty
made it clear its own systems were not broken into (Score:2)
Comcast made it clear its own systems, including those of its broadband unit Xfinity, were not broken into
Irrelevant. Comcast gave them that data. It's Comcast's responsibility.
Re: (Score:2)
No; because once they sold the debt to a collection agency; a whole new set of rules came in to play.
Just remember that comcast isn't allowed to call your family 20 times a day looking for you; that's harassment.
A debt collector can; and if the debtor is dead...they can and will go after the family.
If you think that's bad wait till it's a third-party handling a toll-booth error. That's a government debt so they have even less regulation.
Re: (Score:2)
If you feel so bad for these people who have to suffer someone calling their phone you could always offer to pay off their debts so the calls stop. Most of them will take Pennie's on the dollar because the deadbeats they're trying to collect from are never going to pay.
Re:made it clear its own systems were not broken i (Score:5, Informative)
...A debt collector can; and if the debtor is dead...they can and will go after the family.
No, a debt collector cannot. The Fair Debt Collection Practices Act explicitly forbids this kind of harassment.
 806. Harassment or abuse
A debt collector may not engage in any conduct the natural consequence of which is to harass, oppress, or abuse any person in connection with the collection of a debt.
On top of that, debts die with the debtor. If a debt cannot be collected within the debtor's lifetime, then the creditor is just out of luck. It's over. The debt goes *poof*.
Re: (Score:2)
On top of that, debts die with the debtor. If a debt cannot be collected within the debtor's lifetime, then the creditor is just out of luck. It's over. The debt goes *poof*.
That's not entire true. They can sue the estate to attempt collection from whatever assets remain after death. They can't go after family directly though AFAIK, which I assume was your point.
Re: (Score:2)
You are correct on both points.
Re: (Score:2)
Re: made it clear its own systems were not broken (Score:1)
I chuckle when I hear about people who put their name as the owner of their car. There is information on this information superhighway thingamajiggy about how to stop using your name for everything. But it's easier to spend our days in a doom scroll and then complain.
The managers, CEOs, of these companies need to... (Score:2)
Liability (Score:3)
Business as usual (Score:2)
Allowing sensitive personal data to be stolen isn't a crime, so there will be no punishment for this, as per usual