Full Report
Comcast will pay a $1.5 million fine to settle a Federal Communications Commission investigation into a February 2024 vendor data breach that exposed the personal information of nearly 275,000 customers. [...]
Analysis Summary
# Incident Report: Vendor Data Breach Exposing Comcast Customer PII
## Executive Summary
A data breach occurred in February 2024 at Financial Business and Consumer Solutions (FBCS), a former Comcast vendor, exposing the personal information of nearly 275,000 Comcast customers. The incident was discovered five months later via notification from the now-bankrupt vendor. As a result, Comcast settled an FCC investigation by agreeing to pay a $1.5 million fine and implement stringent new security and vendor oversight compliance plans.
## Incident Details
- Discovery Date: July 15, 2024 (Notification from FBCS)
- Incident Date: February 2024 (Data theft occurred between February 14 and February 26, 2024)
- Affected Organization: Comcast (Breach occurred at Third-Party Vendor: Financial Business and Consumer Solutions - FBCS)
- Sector: Telecommunications, Financial Services/Debt Collection
- Geography: USA (Implied, involving FCC regulation)
## Timeline of Events
### Initial Access
- Date/Time: February 14 - February 26, 2024
- Vector: Compromise of systems belonging to the third-party vendor, FBCS.
- Details: Threat actors successfully accessed and exfiltrated data housed on FBCS systems.
### Lateral Movement
- Not specified in the public reporting regarding activity within FBCS systems.
### Data Exfiltration/Impact
- Threat actors stole personal and financial information belonging to 273,703 Comcast current and former customers.
### Detection & Response
- **Detection:** Comcast was initially assured by FBCS in March 2024 that its customers were not affected. Comcast was formally notified on July 15, 2024.
- **Response Actions:** Comcast entered into a consent decree with the FCC, resulting in a $1.5 million fine and mandatory compliance measures.
## Attack Methodology
The report focuses on the impact on Comcast's customer data rather than the specifics of the intrusion into FBCS.
- Initial Access: Vendor Compromise (Hacking into FBCS systems).
- Persistence: Not specified.
- Privilege Escalation: Not specified.
- Defense Evasion: Not specified.
- Credential Access: Not specified.
- Discovery: Not specified.
- Lateral Movement: Not specified.
- Collection: Theft of PII/Financial Data.
- Exfiltration: Data stolen from FBCS environment.
- Impact: Exposure of sensitive customer records.
## Impact Assessment
- Financial: $\$1.5$ million fine paid to the FCC; FBCS filed for bankruptcy.
- Data Breach: Personal Information (PII) and financial data of **273,703 Comcast customers**. Data included names, addresses, Social Security numbers, dates of birth, and Comcast account numbers.
- Operational: No mention of direct operational disruption to Comcast’s core services; impact was focused on regulatory and remediation efforts.
- Reputational: Negative publicity leading to an FCC regulatory enforcement action.
## Indicators of Compromise
*No specific technical IoCs (IPs, hashes, domains) were provided in the article.*
## Response Actions
The primary recorded response actions were regulatory and future-facing, guided by the FCC settlement:
- **Containment/Eradication:** Not detailed, presumed handled by FBCS prior to or during bankruptcy proceedings.
- **Recovery Actions (Regulatory):** Agreement to implement an enhanced vendor oversight compliance plan.
- **Mandatory Compliance:**
* Ensure vendors properly dispose of customer information they no longer need.
* Appoint a compliance officer.
* Conduct comprehensive risk assessments of vendors handling customer data biannually.
* Submit status reports to the FCC every six months for three years.
* Report any material violations within 30 days of discovery.
## Lessons Learned
- Reliance on third-party vendors (even former ones) creates significant downstream liability concerning customer data stewardship.
- Inadequate vendor security posture directly leads to regulatory penalties for the primary data holder (Comcast), even when the primary network is not breached.
- Initial assurances from a vendor about a breach's scope can be inaccurate, requiring continuous validation and monitoring of vendor incidents.
## Recommendations
- Immediately review and enhance third-party risk management (TPRM) programs, focusing specifically on data retention, disposal policies, and the security hygiene of vendors handling high-value customer PII, regardless of contract status.
- Mandate clear, expedited breach notification timelines in all vendor contracts, superseding current regulatory timelines when necessary to protect customer data integrity.
- Implement periodic, independent audits of key vendor security controls for any entities that have access to sensitive customer data.