A Quarter Million Comcast Subscribers Had Data Stolen From Debt Collector

An anonymous reader quotes a report from The Register: Comcast says data on 237,703 of its customers was in fact stolen in a cyberattack on a debt collector it was using, contrary to previous assurances it was given that it was unaffected by that intrusion. That collections agency, Financial Business and Consumer Solutions aka FBCS, was compromised in February, and according to a filing with Maine's attorney general, the firm informed the US cable giant about the unauthorized access in March. At the time, FBCS told the internet'n'telly provider that no Comcast customer information was affected. However, that changed in July, when the collections outfit got in touch again to say that, actually, the Comcast subscriber data it held had been pilfered.

Among the data types stolen were names, addresses, Social Security numbers, dates of birth, and the Comcast account numbers and ID numbers used internally at FBCS. The data pertains to those registered as customers at "around 2021." Comcast stopped using FBCS for debt collection services in 2020. Comcast made it clear its own systems, including those of its broadband unit Xfinity, were not broken into, unlike that time in 2023. FBCS earlier said more than 4 million people had their records accessed during that February break-in. As far as we're aware, the agency hasn't said publicly exactly how that network intrusion went down. Now Comcast is informing subscribers that their info was taken in that security breach, and in doing so seems to be the first to say the intrusion was a ransomware attack. [...]

FBCS's official statement only attributes the attack to an "unauthorized actor." It does not mention ransomware, nor many other technical details aside from the data types involved in the theft. No ransomware group we're aware of has ever claimed responsibility for the raid on FBCS. When we asked Comcast about the ransomware, it simply referred us back to the customer notification letter. The cableco used that notification to send another small middle finger FBCS's way, slyly revealing that the agency's financial situation prevents it from offering the usual identity and credit monitoring protection for those affected, so Comcast is having to foot the bill itself.

Got a laugh out of me

[LondoMollari]

“Comcast made it clear its own systems, including those of its broadband unit Xfinity, were not broken into, unlike that time in 2023.“

LOL, especially this happened AFTER the breach in question!

Re:

[ls671]

Offer affected "bad" customers who went into debt collection to wave any amounts disputed. This should solve most cases.

WTF?

[Random361]

Why in the living fuck does a cable/satellite/broadband company even have your date of birth or social security number?

Re:

[bill_mcgonigle]

> company even have your date of birth or social security number?

The Control Grid exists to extract maximum wealth from the Working Class and to keep track of conscripts to be riddled with bullets in foreign wars of adventure.

So even if you leave town, unlike in the rest of Human history, you can't start over - you need DOB and SSN to buy or sell, rent, or get a job so the debt collectors and Draft Officers can find you.

Most people can't handle the misery of accepting this status quo because immortality

Re:

[Random361]

That sounds a lot like the Mark of the Beast to me. But, come to think of it, DirecTV (AT&T) probably has that shit on me. I guess when I cancel soon they're really going to want their ten year old shit (even then) equipment back. So they can throw it into a landfill and make their mark destroying the planet. I would do better harvesting some of the chips to do hobby projects. Maybe I'd make a new garage door opener...for myself or hook a binary counter and amplifier up to it for my several thousand clo

Re:

[Malay2bowman]

"You can't take it with you when you go". So the rich are spending their whole lives hoarding wealth, only for that stuff to not mean jack shit to them after they die. Whether you believe in an afterlife or not (I have a strong suspicion there's not), that yacht ain't coming with you. Many dead pharaohs tried

Re:

[ElimGarak000]

Why in the living fuck does a cable/satellite/broadband company even have your date of birth or social security number?

They wouldn't. The collector would, though.

The part I find interesting is that by the letter of the law, I'm not sure whether Comcast (as opposed to FBCS) is required to disclose this breach, since it was not a breach of a system they controlled. The fact that information was breached that they themselves did not possess in their own database seems relevant.

Re:

[DewDude]

Comcast, and most companies, require a credit check for services.

They collect your SSN to run the check as well as to have something to report against when they sell your debt.

Re:

[DewDude]

Credit checks. They will not give you service unless you pass a credit check because they claim they are leasing you equipment.

But remember that debt collectors collecting a debt gain a lot of additional rights. They can start to harass your family to collect. They can track you down.

The fact is, the information the debt agency has is far more comprehensive than the cable company.

Re: WTF?

[writeRight]

>> They will not give you service unless you pass a credit check

I got service, and their crappy gateway unit, without SSN and without birthday. I politely say 'no thank you', just like I did for natural gas service. Anyon can ask for your SSN and DNA and some people say 'no'. Other people love giving away privacy because it keeps them safe or something. It's the same with getting a USA passport - I have left the SSN field blank, and used all zeros, and used a random number for me and my family.

Re:

[bugs2squash]

I always just write in N/A and rarely get challenged on it. I suspect though that they have other ways to find that kind of thing out.

Re:

[sound+vision]

They can probably just get your SSN from a third party and add it to their internal records. It's not like it's a secret.

You're given that illusion by them (for example) covering it up with asterisks on the paperwork you're given, while their other hand is selling it out the back door.

If someone could go through life without ever having to provide their SSN anywhere, it wouldn't be valuable. You've given it to your employers, banks, insurance, and medical providers at a minimum. From there it gets spread th

Re:

[jbengt]

A SSN is not an ID - everyone should quit treating it like one. And a SSN is not a secret, either, it's just an index used to look up your SSI/Medicare/IRS files, and government agencies, banks, security firms, credit companies, employers, etc. all know which one is associated with you.

Re:

[Lehk228]

they require it to sign up, because a lot of deadbeats don't pay their bill

Why date of birth and SSN

[FeelGood314]

They have it because American's don't have a unique identifier. So companies have to collect a lot of immutable data about you so that they can uniquely identify you and so they can merge data from different sources into a single record about you. By not having a unique number we actually give up privacy. By forcing companies to use lots of essentially public data about a person to identify them companies are often forced to use this information as authorization by the individual, opening the individual

Re: Why date of birth and SSN

[writeRight]

No, there is no forcing. It's voluntary consent by the people to give way their info. Just say no.

Re:

[PPH]

Just say no.

Me: Now, may I please have service.
Comcast: No.

Me: But I'm a POC and don't have identification.
Comcast: No.

Me: Well, at least I can still vote.

Re: Why date of birth and SSN

[writeRight]

Was that a fictional interaction? I literally have Comcast service (and cell phone, and electric, and natural gas) without providing SSN or birth date.

Re:

[PPH]

without providing SSN or birth date

Do you pay them with cash?* If not, they probably already have all that.

*Bitcoin might work as well.

Re:

[NotEmmanuelGoldstein]

... don't have a unique identifier.

The point of government-issued numbers (SSN, passport, taxation, license) is to quickly identify a person. I find it impossible to believe that SSN & DoB don't provide a unique number. That means no business needs extra details.

The problem is the opposite of what you say: SSN and DoB of a person is easy to acquire, because someone already has it. Thus, businesses need more and more numbers to prove they're dealing with the real owner of that SSN.

The US has already mandated an answer to that prob

Re:

[jbengt]

The point of government-issued numbers (SSN, passport, taxation, license) is to quickly identify a person.

Strictly speaking, they're not about identifying a person, Those numbers are used to conveniently look up a person's files after confirming their identity. (The physical passport or license is another matter. Those are forms of identification - something you have, as well as containing information on some things you are.)
The rest of your post is informative.

Re:

[mjwx]

Why in the living fuck does a cable/satellite/broadband company even have your date of birth or social security number?

Ironically, for fraud prevention.

Getting a contract is essentially getting credit, I.E. an unsecured loan, just for services not yet rendered, so they need to ensure that those applying are who they claim to be. Also that they're not minors who are not legally permitted to sign up to such a contract... Especially with the hate boner the religious right has with anyone under 18... or anyone really, potentially seeing... ahem... gentlemen's special interest literature.

This is why the US needs a GDPR sty

made it clear its own systems were not broken into

[TheNameOfNick]

Comcast made it clear its own systems, including those of its broadband unit Xfinity, were not broken into

Irrelevant. Comcast gave them that data. It's Comcast's responsibility.

Re:

[DewDude]

No; because once they sold the debt to a collection agency; a whole new set of rules came in to play.

Just remember that comcast isn't allowed to call your family 20 times a day looking for you; that's harassment.

A debt collector can; and if the debtor is dead...they can and will go after the family.

If you think that's bad wait till it's a third-party handling a toll-booth error. That's a government debt so they have even less regulation.

Re:

[alvinrod]

Do they keep calling after the debt has been paid?

If you feel so bad for these people who have to suffer someone calling their phone you could always offer to pay off their debts so the calls stop. Most of them will take Pennie's on the dollar because the deadbeats they're trying to collect from are never going to pay.

Re:made it clear its own systems were not broken i

[StormReaver]

...A debt collector can; and if the debtor is dead...they can and will go after the family.

No, a debt collector cannot. The Fair Debt Collection Practices Act explicitly forbids this kind of harassment.

 806. Harassment or abuse

A debt collector may not engage in any conduct the natural consequence of which is to harass, oppress, or abuse any person in connection with the collection of a debt.

On top of that, debts die with the debtor. If a debt cannot be collected within the debtor's lifetime, then the creditor is just out of luck. It's over. The debt goes *poof*.

Re:

[ZenShadow]

On top of that, debts die with the debtor. If a debt cannot be collected within the debtor's lifetime, then the creditor is just out of luck. It's over. The debt goes *poof*.

That's not entire true. They can sue the estate to attempt collection from whatever assets remain after death. They can't go after family directly though AFAIK, which I assume was your point.

Re:

[StormReaver]

You are correct on both points.

Re:

[Malay2bowman]

The whole "sins of the father" didn't sound right. I know some countries do that but not the USA (yet).

Re: made it clear its own systems were not broken

[writeRight]

>> toll-booth error

I chuckle when I hear about people who put their name as the owner of their car. There is information on this information superhighway thingamajiggy about how to stop using your name for everything. But it's easier to spend our days in a doom scroll and then complain.

The managers, CEOs, of these companies need to...

[Dr_Ken]

...feel the heat about this before they will see the light and seriously address this problem. And I mean by "heat" harsher consequences than merely issuing an embarrassing press release and then offering their client victims a free year's sub to some credit watch firm. Not good enough. Fix this now or we'll have to release the lawyers on you.

Liability

[newslash.formatblows]

Everyone in the chain of custody of that information needs to be at least civilly liable. I'd bet if you were owed $1,000 by everyone who lost your data, they'd be a hell of a lot more careful with it.

Business as usual

[peterww]

Allowing sensitive personal data to be stolen isn't a crime, so there will be no punishment for this, as per usual