In a concerning revelation, U.S. telecommunications giant Comcast announced that the personal data of more than 230,000 of its customers was compromised during a ransomware attack on a third-party debt collection agency. The breach, which came to light earlier this year, highlights the increasing vulnerability of large corporations to cyberattacks targeting external partners and suppliers.
The breach occurred following a ransomware attack on Pennsylvania-based Financial Business and Consumer Solutions (FBCS), a company that provided debt collection services for Comcast. The incident has drawn attention to the broader issue of cybersecurity risks that arise from outsourcing sensitive customer data to third-party providers.
Ransomware Attack on Debt Collector FBCS
The cyberattack on FBCS reportedly took place between February 14 and February 26, 2024. During this period, unauthorized individuals accessed FBCS’s computer network, gaining control of certain systems and encrypting data as part of a ransomware attack. The attackers successfully exfiltrated data, affecting millions of people, including Comcast customers.
Comcast was first informed of the breach in March 2024, but at that time, FBCS stated that no Comcast customer data had been compromised. However, the narrative changed in July when FBCS notified Comcast that personal information related to over 230,000 subscribers had indeed been accessed.
The stolen data includes sensitive customer information such as names, addresses, Social Security numbers, dates of birth, Comcast account numbers, and Comcast ID numbers. Notably, the breach primarily affected customers registered with Comcast around 2021. While Comcast discontinued its relationship with FBCS in 2020, the debt collector still held data on some Comcast customers from prior years.
Nature of the Attack and Consequences
The ransomware attack on FBCS has not been claimed by any known cybercriminal group, and details of the security incident remain vague. FBCS confirmed the breach in its own filings with Maine’s attorney general earlier this year, revealing that more than four million people had their personal information accessed. This data included medical claims and health insurance information in certain cases.
CF Medical, a medical debt-purchasing company that operates under the trade name Capio, also reported that its customers’ data had been compromised in the same FBCS breach. More than 620,000 individuals had personal and health information stolen, adding to the already significant list of affected parties.
Truist Bank, one of the largest banking institutions in the U.S., was another major entity impacted by the attack. While the exact number of affected customers remains unknown, Truist’s recent filings confirmed that names, addresses, account numbers, dates of birth, and Social Security numbers were exposed. With a customer base exceeding 10 million, the potential scale of the breach at Truist Bank could be substantial.