Xfinity Customer Learned of Data Breach While Probing Fraud Incident: Class Action
Comcast customer Vince Estevez and his wife experienced identity theft and were victims of financial fraud resulting from cloud computing company Citrix Systems’ Oct. 10 data breach, alleged their class action Friday (docket 2:24-cv-00800) against Citrix and its customer Comcast in U.S. District Court for Eastern Pennsylvania in Philadelphia.
Estevez, a resident of Pearland, Texas, has spent 40-50 hours over 18-20 phone calls with Comcast and his banks responding to the data breach, and he still spends 30 minutes a week “remaining extra vigilant regarding his credit, reviewing his accounts, and researching the effects” of the breach, in which hackers exploited a vulnerability in Citrix software, known as the Citrix Bleed. The breach affected the personally identifiable information (PII) of some 36 million Comcast customers.
An Xfinity customer for six years, Estevez received a call on Dec. 19 from a person claiming to be a manager at Xfinity, calling to check on his service, said the complaint. Estevez became suspicious as the call went on, hung up and called Comcast directly to explore whether his service was working properly, the complaint said. When he called Comcast, he learned of the data breach, for the first time, via automated message, it said. An agent told Estevez that if he had received a call from a Comcast manager -- something that’s done “on occasion” -- it would “likely have been a mistake” because his service was working.
A half hour later, Estevez received another call from a different person claiming to be from Xfinity and checking on service, the complaint said. The person asked Estevez to read out a six-digit code to confirm that his phone was connecting to Comcast; Estevez did so and soon after, his phone was dead. The caller “had stolen his number,” the complaint said. Estevez called Comcast again and learned his account had been disconnected, which he had not requested.
In the next two days, Estevez received emails from his bank that more wire transfer requests had been made on his accounts, said the complaint. Transfers for $5,000 and $4,000 went through, but the bank caught and stopped two others. Estevez ultimately was refunded for the fraudulent wires, the complaint said. Hackers also used Estevez’s credit card to borrow $18,000 and move it to a newly created bank account. The transfer went through, but the bank, acknowledging fraud had occurred, refunded his account, it said.
Additional fraudulent activity occurred on Estevez's wife’s credit card account, for which she was refunded, said the complaint. Capital One called Estevez and his wife and asked for the driver’s license numbers to approve an application for a new card, the complaint said. “This incident suggests that the hackers have the Social Security numbers of both” Estevez and his wife, it said. Estevez’s PII was also used to access his Netflix account, it said.
As a result of the fraudulent events, Estevez bought identity theft protection for him and his wife at an annual charge of $440, the complaint said. Since then, he and his wife have had subsequent notifications related to thieves attempting to apply for credit or purchase expensive items using their credit information, it said. Due to Estevez’s PII being accessed by an unauthorized actor in the data breach, Estevez’s sensitive information “has been irreparably harmed” and “for the rest of his life,” he will have to “worry about when and how his sensitive information may be shared or used to his detriment,” the complaint said.
Comcast and Citrix’s data and cybersecurity obligations to customers were particularly important “given the substantial increase in cyberattacks and/or data breaches targeting cable and software companies that collect and store PII,” the complaint said. It also cited data from the Identity Theft Resource Center, saying 66.7 million individuals’ PII had been compromised via breaches affecting 7,333 organizations in Q3 of last year.
To prevent and detect cybertheft or ransomware attacks, the defendants should have implemented measures identified by the Microsoft Threat Protection Intelligence Team, including applying the latest security updates, using threat and vulnerability management, performing regular audits and removing privileged credentials, said the complaint. They also should have prioritized and treated commodity malware infections as “potential full compromise,” among other actions, it said.
Estevez asserts claims of negligence and negligence per se; breach of implied contract and third-party beneficiary contract; and unjust enrichment. He seeks an order for himself and the class requiring defendants to implement and maintain comprehensive information security programs, plus actual, nominal and consequential damages; prejudgment interest; and attorneys’ fees and costs. Comcast had no comment; a Citrix spokesperson emailed the company doesn't comment on pending litigation.