Consumer Electronics Daily was a Warren News publication.
‘Robust Security’ Lacking

Comcast Data Breach Exposed PII of All 35.9M Xfinity Customers: Class Action

December 21, 2023 by Paul Gluckman|Top News

Comcast’s representations of strong and robust security “have proved false and misleading” because it “admittedly failed to safeguard” the sensitive personal identifying information (PII) of millions of its consumers “or implement robust security measures to prevent this information from being stolen,” alleged California resident Steven Prescott’s eight-count class action Tuesday (docket 2:23-cv-05040) in U.S. District Court for Eastern Pennsylvania in Philadelphia.

At all “material times,” Comcast “failed to maintain proper security measures despite its promises of safety and security to consumers,” said the complaint. It became aware Oct. 10 of a “vulnerability" in a software product it uses, it said. Before Comcast notified consumers, and before mitigation took place, there was “unauthorized access” to Comcast’s internal systems between Oct. 16 and Oct. 19, it said. It concluded Nov. 16 that customers’ PII “was likely acquired,” it said.

Comcast notified customers of the data breach Tuesday, when more than two months had passed since the company learned of the software vulnerability and more than a month had passed since it concluded that customer PII had likely been stolen, said the complaint. In its statements, Comcast didn’t disclose how many consumers’ PII was breached, it said.

That left consumers “to speculate whether it is likely that their PII has been compromised and without any clear instruction on what they can do to protect themselves now that their PII has been exposed,” said the complaint. It’s believed that all of Xfinity’s 35.9 million U.S. consumers had their PII “compromised in the breach,” it said, citing data from the office of Maine Attorney General Aaron Frey (D).

For its internet and cable services, Comcast requires that consumers create an Xfinity account, forcing them to entrust the company with their PII, said Prescott’s complaint. Comcast “holds itself as a trustworthy company” that recognizes and values its customers’ privacy, it said. It has repeatedly assured its customers that it believes strong cybersecurity is essential to privacy, it said.

Prescott and other consumers “relied to their detriment” on Comcast’s “uniform representations and omissions regarding data security,” said the complaint. It failed to alert customers that its security protections were “inadequate,” it said. Had Comcast disclosed to Prescott and its other customers that its data systems weren’t “secure at all and were vulnerable to attack,” they wouldn’t have purchased Comcast’s products or used its services, it said.

The data breach has left Comcast’s customers vulnerable to identity theft, digital phishing scams and SIM-swap attacks, said the complaint. But for Comcast’s “unlawful conduct,” scammers wouldn’t have gained access to customers’ PII, it said. Comcast’s unlawful conduct “has directly and proximately resulted in widespread digital attacks” against consumers, it said. Comcast didn't comment.