One of the biggest telecom providers in the United States, Comcast, has revealed that a ransomware attack on Financial Business and Consumer Solutions (FBCS), a third-party debt collection service provider, exposed the personal data of around 238,000 customers.
Comcast Business disclosed this in its 2024 Cybersecurity Threat Report, based on the analysis of 29 billion cybersecurity events detected by Comcast Business across its security customers in 2023.
The company reported the security vulnerability in a complaint with the Maine Attorney General’s Office.
American Cable Systems, later Comcast Holdings, is a multinational telecommunications and media company founded and based in Philadelphia.
The breach, which occurred in February 2024, affected sensitive data such as consumers’ names, addresses, dates of birth, Social Security numbers, and account information.
In a warning to subscribers issued to the Maine Attorney General’s office, Comcast stated that the security incident “occurred entirely at FBCS and not at Xfinity or on Comcast systems.”
The incident took place between February 14 and 26, 2024, during which time cybercriminals obtained access to FBCS’s networks.
During a ransomware attack, the attackers allegedly extracted enormous volumes of data and encrypted some systems.
Comcast’s affected consumers registered around 2021, and the breach is related to FBCS’s data retention practices, which extend beyond its working relationship with the telecom provider.
Comcast is offering affected customers free identity theft protection services for at least a year through participation in CyEx Identity Defence Complete, which includes credit monitoring.
Authorities are currently examining the full breadth of the ransomware incident, although no big ransomware gang has claimed responsibility thus far.
While Comcast continues to respond to the breach, the incident highlights the risks that businesses face when relying on third-party providers for services, particularly in data handling and security.
We earlier reported that Meta has been fined €91 million ($101 million) for inadvertently keeping hundreds of millions of user passwords on its internal systems in plaintext rather than encrypted.