The Federal Communications Commission announced this week that Comcast will pay a $1.5 million civil penalty to resolve an investigation into a 2024 data breach at one of its former debt-collection vendors that exposed the personal information of approximately 237,000 current and former customers.
According to the FCC’s enforcement bureau, the compromised data belonged to subscribers of Comcast’s Xfinity internet, television, and home-security services. The breach occurred at Financial Business and Consumer Solutions (FBCS), a third-party debt collector that Comcast had retained until 2022. Even though the business relationship ended two years earlier, FBCS continued to store Comcast customer records containing sensitive personal information.
In a statement to Cord Cutters News a Comcast spokesperson said “Comcast was not responsible for and has not conceded any wrongdoing in connection with this incident. The matter involved a former vendor, FBCS, which has not provided services to Comcast since 2022. No Comcast systems were compromised, and FBCS was required to comply with our comprehensive vendor security requirements. We remain committed to continually strengthening our cybersecurity policies and protections to safeguard customer data.”
The incident came to light in early 2024 when FBCS notified affected individuals that cybercriminals had gained unauthorized access to its systems. The exposed information reportedly included names, addresses, dates of birth, partial or full Social Security numbers, account numbers, and details about services subscribers had purchased from Comcast. In some cases, driver’s license numbers and security questions used for account verification were also compromised.
FCC investigators determined that Comcast failed to implement adequate oversight of its former vendor’s data-security practices after the relationship ended. Although Comcast had contractually required FBCS to maintain reasonable security measures and to delete customer data once the contract terminated, the agency found that the company did not sufficiently monitor compliance or ensure the information was actually destroyed. The consent decree states that Comcast also waited too long to notify affected customers after learning of the breach.
Under the terms of the settlement, Comcast neither admitted nor denied wrongdoing but agreed to pay the $1.5 million penalty and to strengthen its vendor-management and data-retention policies. The company must now conduct regular risk assessments of any third party that handles customer personal information, mandate the timely deletion or return of data when contracts end, and submit compliance reports to the FCC for the next several years.
The settlement marks another chapter in a series of privacy enforcement actions against major telecommunications providers. Last year the commission imposed record fines on several wireless carriers for illegally sharing customer location data with third parties. Monday’s action underscores that telecommunications companies can be held responsible for the security failures of their vendors even after the business relationship has concluded.
Comcast has already begun notifying the 237,000 affected individuals and is offering them two years of free credit-monitoring and identity-theft protection services. The company emphasized that there is no evidence the stolen information has been misused so far, though security experts warn that such data often surfaces on underground marketplaces months or years after a breach.
The FCC’s order takes effect immediately, and Comcast has thirty days to make the penalty payment to the U.S. Treasury.
Please add Cord Cutters News as a source for your Google News feed HERE. Please follow us on Facebook and X for more news, tips, and reviews. Need cord cutting tech support? Join our Cord Cutting Tech Support Facebook Group for help.
Update: We updated this story with a statement from Comcast.