Cable giant Comcast agrees to settle data breach lawsuit for $117.5 million

American cable giant Comcast has agreed to pay $117.5 million to settle a class action lawsuit related to a data breach incident in late 2023 that impacted up to 36 million subscribers.

 

The mass media, telecommunications, and entertainment company suffered a significant data breach in October 2023 after malicious actors exploited a security vulnerability in Citrix NetScaler ADC and Citrix NetScaler Gateway appliances to infiltrate Xfinity, a division of Comcast Corporation that markets cable television, internet, telephone, and wireless services provided by the company.

 

Comcast discovered the data breach on October 25, 2023, during a routine cyber security exercise and conducted an investigation to determine the extent of the data breach. On November 16, the company determined that the malicious actors had exfiltrated vast amounts of customer data, including their usernames, dates of birth, contact information, partial Social Security numbers, and hashed passwords.

 

Comcast informed the Office of the Attorney General of Maine that the data security incident possibly compromised personal data related to as many as 36 million customers. 

 

A class action lawsuit was later filed in the US District Court for the Eastern District of Pennsylvania, alleging that Comcast failed to protect the personal information of about 36 million customers during the data security incident in October 2023 and was liable to pay compensation to all affected customers.

 

Earlier this week, Comcast announced its decision to set up a compensation fund of $117.5 million to settle the data breach class action lawsuit without admitting any wrongdoing or liability on its part. The fund will pay for affected customers’ documented out-of-pocket losses and lost time, notice and administrative costs, attorneys’ fees, and cost of identity defence and restoration services.

 

The settlement figure is due to be approved by the Court on July 7, 2026. Affected customers represented in the class action lawsuit have until August 14 to submit a claim to obtain compensation for out-of-pocket losses and lost time. The affected class action members also have the option to exclude themselves from the settlement payout, object to the terms of the settlement or do nothing, in which case they will not be entitled to a settlement payout but can avail complimentary identity protection services.

 

The media and telecommunications company was previously fined $1.5 million by the Federal Communications Commission over another data breach incident in February 2024 that exposed the personal information of nearly 275,000 customers.

 

The data breach incident involved malicious actors stealing the personal information of Comcast’s customers from the network of Financial Business and Consumer Solutions, a debt collection firm previously used by the cable giant. When imposing the fine, FCC directed Comcast to strengthen vendor oversight and prepare a comprehensive compliance plan to ensure that third-party vendors properly dispose of customer data they no longer need.