Comcast to pay $1.5 million to resolve FCC pinto vendor data breach

American mass media, telecommunications, and entertainment company Comcast, which employs more than 182,000 people, serves hundreds of millions of customers globally, and reported $123.7 billion in revenue in 2024, will pay a $1.5 million fine to settle a Federal Communications Commission investigation into a February 2024 vendor data breach that exposed the personal information of nearly 275,000 customers.

The incident originated in February 2024, when attackers infiltrated the systems of Financial Business and Consumer Solutions, a debt collection firm that Comcast had stopped using two years earlier. The intrusion allowed threat actors to steal personal and financial information between February 14 and February 26. Compromised data included names, addresses, Social Security numbers, dates of birth, and Comcast account numbers belonging to customers who used the company’s Xfinity-branded internet, television, streaming, VoIP, and home security services.

FBCS initially asserted in March that no Comcast data had been affected. However, the company notified Comcast on July 15, five months after the attack, that 273,703 customers had been impacted. FBCS later disclosed that the breach, which it reported in August 2024 after filing for bankruptcy, grew from an initial estimate of 1.9 million affected individuals to 3.2 million in June and ultimately 4.2 million in July.

The FCC announced a consent decree on Monday that requires Comcast to adopt a comprehensive compliance plan aimed at strengthening vendor oversight and protecting customer privacy. The measures include verifying that third-party vendors properly dispose of customer data they no longer need, as required by the Cable Communications Policy Act of 1984. Comcast must also appoint a compliance officer, conduct risk assessments of vendors handling customer information every two years, submit compliance reports to the FCC every six months for the next three years, and disclose any material violations within 30 days of detection.

Comcast stated that it was not responsible for the breach and did not concede wrongdoing, emphasizing that its own network had not been compromised and that FBCS was contractually obligated to meet security standards.