Special Features

Cybersecurity Month

About a quarter million Comcast subscribers had their data stolen from debt collector

Cable giant says ransomware involved, FBCS keeps schtum


Comcast says data on 237,703 of its customers was in fact stolen in a cyberattack on a debt collector it was using, contrary to previous assurances it was given that it was unaffected by that intrusion.

That collections agency, Financial Business and Consumer Solutions aka FBCS, was compromised in February, and according to a filing with Maine's attorney general, the firm informed the US cable giant about the unauthorized access in March. At the time, FBCS told the internet'n'telly provider that no Comcast customer information was affected.

However, that changed in July, when the collections outfit got in touch again to say that, actually, the Comcast subscriber data it held had been pilfered.

Among the data types stolen were names, addresses, Social Security numbers, dates of birth, and the Comcast account numbers and ID numbers used internally at FBCS. The data pertains to those registered as customers at "around 2021." Comcast stopped using FBCS for debt collection services in 2020.

Comcast made it clear its own systems, including those of its broadband unit Xfinity, were not broken into, unlike that time in 2023.

FBCS earlier said more than 4 million people had their records accessed during that February break-in.

As far as we're aware, the agency hasn't said publicly exactly how that network intrusion went down. Now Comcast is informing subscribers that their info was taken in that security breach, and in doing so seems to be the first to say the intrusion was a ransomware attack.

The unauthorized party downloaded data from FBCS systems and encrypted some systems as part of a ransomware attack

In a letter to affected customers, Comcast said FBCS had provided it the following information: "From February 14 and February 26, 2024, an unauthorized party gained access to FBCS's computer network and some of its computers. During this time, the unauthorized party downloaded data from FBCS systems and encrypted some systems as part of a ransomware attack.

"Upon discovering the attack on February 26, 2024, FBCS launched an investigation with the assistance of third-party cybersecurity specialists. In the course of that investigation, FBCS discovered that the files downloaded by the unauthorized party contained personal information, including personal information about you. FBCS also notified the Federal Bureau of Investigation (FBI) of this attack."

The Reg has asked FBCS to confirm the ransomware element. The FBI declined to comment.

FBCS's official statement only attributes the attack to an "unauthorized actor." It does not mention ransomware, nor many other technical details aside from the data types involved in the theft. No ransomware group we're aware of has ever claimed responsibility for the raid on FBCS.

When we asked Comcast about the ransomware, it simply referred us back to the customer notification letter.

The cableco used that notification to send another small middle finger FBCS's way, slyly revealing that the agency's financial situation prevents it from offering the usual identity and credit monitoring protection for those affected, so Comcast is having to foot the bill itself.

"FBCS notified Comcast that due to its current financial status, it would no longer able to provide notices or credit monitoring protection to individuals impacted by the incident," reads the letter to those affected. "As such, we are contacting you directly and providing support services."

We also asked FBCS to comment on this element of the notification. So far, the agency is staying silent.

Comcast sent letters to affected customers in August, though the notification was made public by the US state of Maine only this week.

CF Medical also filed a similar breach notification to Comcast's in late September, saying FBCS only discovered its customers were affected in July.

CF Medical is the trade name for Capio, another debt collection agency, which used to be a customer of FBCS. It stated that 626,396 of its customers were affected, though the letter did not mention ransomware nor FBCS's financial inability to offer credit monitoring services in the same way Comcast's letter did.

The Reg also asked FBCS whether it expects many more notifications to be made since it alerted former clients of affected data in July. ®

Send us news
6 Comments

What do ransomware and Jesus have in common? A birth month and an unwillingness to die

35 years since AIDS first borked a PC and we're still no closer to a solution

Deloitte says cyberattack on Rhode Island benefits portal carries 'major security threat'

Personal and financial data probably stolen

UK ICO not happy with Google's plans to allow device fingerprinting

Also, Ascension notifies 5.6M victims, Krispy Kreme bandits come forward, LockBit 4.0 released, and more

Suspected LockBit dev, facing US extradition, 'did it for the money'

Dual Russian-Israeli national arrested in August

Ransomware scum blow holes in Cleo software patches, Cl0p (sort of) claims responsibility

But can you really take crims at their word?

Heart surgery device maker's security bypassed, data encrypted and stolen

Sounds like th-aorta get this sorted quickly

Are your Prometheus servers and exporters secure? Probably not

Plus: Netscaler brute force barrage; BeyondTrust API key stolen; and more

Blue Yonder ransomware termites claim credit

Also: Mystery US firm compromised by Chinese hackers for months; Safe links that aren't; Polish spy boss arrested, and more

Lights out for 18 more DDoS booters in pre-Christmas Operation PowerOFF push

Holiday cheer comes in the form of three arrests and 27 shuttered domains

Fully patched Cleo products under renewed 'zero-day-ish' mass attack

Thousands of servers targeted while customers wait for patches

How Androxgh0st rose from Mozi's ashes to become 'most prevalent malware'

Botnet's operators 'driven by similar interests as that of the Chinese state'

Infosec experts divided on AI's potential to assist red teams

Yes, LLMs can do the heavy lifting. But good luck getting one to give evidence