Comcast Data Breach Lawsuits Say Roughly 36 Million Xfinity Customers’ Info Stolen by Hackers [UPDATE]

Comcast faces at least two proposed class action lawsuits over a massive 2023 data breach that saw the personal information of approximately 36 million Xfinity customers stolen by hackers.

The cases, filed in Pennsylvania federal court this week, share that yet-unknown hackers, between October 16 and October 19, exploited a “critical-rated, unpatched security vulnerability” to access Comcast’s systems and the personally identifiable information of millions of Xfinity customers contained therein. According to the Comcast data breach lawsuits, the information compromised by the perpetrators included Xfinity customers’ names, dates of birth, usernames and hashed passwords, the last four digits of Social Security numbers, and security questions and answers.

The suits stress that data breach victims now face a significantly heightened risk of identity theft, fraud, phishing scams and myriad other harms due to the unauthorized disclosure of their sensitive information. According to the lawsuits, the Xfinity hack stemmed from Comcast’s failure to implement and maintain so much as basic cybersecurity measures.

“Consequently, Plaintiff and Class Members must devote substantially more time, money, and energy to protect themselves, to the extent possible, from these crimes,” one complaint states.

Comcast data breach stemmed from software provider “vulnerability,” suits say

Comcast’s business portfolio includes Comcast Cable, NBCUniversal and Sky, and the company provides broadband internet, cable television, and mobile and landline telephone services to consumers under the Xfinity brand, the filings say. As of 2022, one suit specifies, Comcast had 34.3 million “customer relationships” across the United States, with at least 500,000 cable customers in most major U.S. cities, over 29 million broadband internet customers, and roughly 15.6 million customers receiving streaming services.

As such, Comcast, which allegedly touts its commitment to safeguarding the information it obtains from consumers, collects and processes personal data for millions of people nationwide, as consumers are required to create an Xfinity account in order to take advantage of the company’s services, the suits relay.

On December 18, Comcast began to send notice to consumers about a data breach affecting Xfinity customers. The Comcast data breach notice stated, in part, that on October 10, 2023, Xfinity software provider Citrix announced a “vulnerability” in one of its products used by thousands of companies nationwide. Though Citrix released a patch to seal the vulnerability and issued “additional mitigation guidance on October 23,” Comcast subsequently realized that its systems had been accessed between October 16 and October 19 due to the system flaw, the notice states.

Per the notice, Comcast determined on November 16 that “information was likely acquired” during the incident, and on December 6 the company concluded that usernames, hashed passwords, contact information and more were compromised.

One data breach lawsuit argues that the delay in Comcast’s implementation of the vulnerability patch allowed hackers to access its systems without authorization, and from there, steal reams of consumer information. The other suit contends that consumers “relied to their detriment” on Comcast’s uniform data security and privacy promises and would not have purchased Xfinity services from the company had they known its systems were vulnerable to attack.

Comcast’s representations of strong and robust security have proved false and misleading—Comcast admittedly failed to safeguard the sensitive personal identifying information of millions of its consumers or implement robust security measures to prevent this information from being stolen.”

The same lawsuit relays that Comcast’s data breach notice fails to disclose how many consumers were impacted by the incident, “leaving consumers to speculate whether it is likely that their [personal information] has been compromised and without any clear instruction on what they can do to protect themselves” now that their information has been exposed.

“It is believed all of Xfinity’s 35.9 million US consumers had their [personal information] compromised in the breach,” the complaint says.

In a statement sent to The Associated Press this week, Xfinity said that it is “not aware of any customer data being leaked anywhere, nor of any attacks on our customers.” However, one suit claims that data stolen in the Comcast breach has “since been publicly leaked online, which has allowed for digital and potential physical attacks” against victims.

Who’s covered by the Comcast data breach lawsuits?

The lawsuits look to represent all consumers in the United States whose personally identifiable information was compromised in the October 2023 Comcast data breach, announced by the company on December 19, 2023.

I am an Xfinity customer and my data was stolen. How do I sign up?

When a proposed class action case is first filed, there’s usually nothing a consumer needs to do to join, sign up for, or add their name to the lawsuit. It’s typically only if and when a case settles that a consumer covered by the suit—a “class member”—would need to act, usually by filling out and filing a claim form online or by mail.

Get class action lawsuit news sent to your inbox – sign up for ClassAction.org’s free weekly newsletter here.