Corporate Misconduct Accountability Project
Comcast Corporation and Comcast Cable Communications LLC · Class Action Lawsuit
Comcast Failed to Protect 237,703 Customers in FBCS Data Breach
Telecommunications giant Comcast allegedly entrusted customer Social Security numbers, birthdates, and addresses to a debt-collection vendor with inadequate data security, resulting in a massive breach that exposed sensitive information to cybercriminals.
CRITICAL SEVERITY
TL;DR
Monica Thomas filed a class action lawsuit against Comcast after a data breach at FBCS, a debt collection vendor, exposed the personal information of at least 237,703 Comcast customers. The breach, discovered in February 2024 but not disclosed to affected customers until August, compromised names, Social Security numbers, dates of birth, addresses, and account numbers. The lawsuit alleges Comcast failed to vet FBCS’s data security practices and allowed the vendor to retain customer data years after their business relationship ended, violating federal law and industry standards.
Large corporations routinely entrust your most sensitive data to third parties. When those vendors fail, you pay the price.
237,703
Comcast customers affected by the FBCS data breach
4,253,394
Total individuals exposed across all FBCS clients
$200/year
Estimated cost of credit monitoring per affected customer
5 months
Delay between Comcast learning of breach and notifying customers
The Allegations: A Breakdown
Core Allegations
What Comcast Did Wrong · 8 points
| 01 | Comcast provided customer Social Security numbers, dates of birth, names, addresses, and account information to FBCS, a debt collection vendor, without properly vetting the vendor’s data security practices or ensuring compliance with industry standards. | critical |
| 02 | The company failed to encrypt or redact highly sensitive personally identifiable information before transferring it to FBCS, leaving it vulnerable to unauthorized access and theft. | critical |
| 03 | Comcast allowed FBCS to retain customer data from approximately 2021, years after the companies stopped working together in 2020, creating unnecessary risk to former customers who believed their relationship with Comcast had ended. | high |
| 04 | The telecommunications giant learned of the data breach at FBCS on March 13, 2024, but did not notify affected customers until August 16, 2024, a delay of more than five months during which customers remained unaware and vulnerable to identity theft. | high |
| 05 | Comcast violated the Cable Communications Policy Act by failing to take necessary actions to prevent unauthorized access to subscriber information and by disclosing personally identifiable information without proper consent. | high |
| 06 | The company breached its duty under Section 5 of the Federal Trade Commission Act by failing to use reasonable measures to protect confidential consumer data, constituting an unfair practice in commerce. | high |
| 07 | Comcast made explicit promises to customers in its privacy policy that it would follow industry-standard practices to secure personal information and prevent unauthorized access, promises the data breach proves were hollow. | high |
| 08 | The corporation prioritized cost savings over customer data security by failing to implement adequate vendor oversight processes, penetration testing, security audits, and employee training programs that could have prevented the breach. | medium |
Regulatory Failures
How the System Failed Consumers · 6 points
| 01 | Despite FTC guidelines requiring businesses to protect consumer information, encrypt stored data, understand network vulnerabilities, monitor for suspicious activity, and have breach response plans ready, Comcast failed to follow these basic standards. | high |
| 02 | The Cable Communications Policy Act explicitly requires cable operators to prevent unauthorized access to subscriber information, yet Comcast violated this federal mandate by allowing a third-party vendor to expose customer data. | high |
| 03 | Comcast failed to comply with FTC recommendations that companies verify third-party service providers have implemented reasonable security measures before entrusting them with sensitive consumer data. | high |
| 04 | The company violated industry standards including the NIST Cybersecurity Framework and the Center for Internet Security’s Critical Security Controls, which establish minimum requirements for reasonable cybersecurity readiness. | medium |
| 05 | Federal law requires that companies not maintain personally identifiable information longer than needed for transaction authorization, yet FBCS retained Comcast customer data years beyond any legitimate business purpose. | medium |
| 06 | Comcast failed to ensure FBCS deleted or archived inactive customer data and files, violating basic data retention and destruction principles that could have limited the breach’s scope. | medium |
Profit Over People
Cost Cutting That Endangered Customers · 6 points
| 01 | Comcast enriched itself by saving the costs it should have spent on adequate data security measures, choosing to increase profit margins at the direct expense of customer safety and privacy. | high |
| 02 | The company derived substantial economic benefit from collecting and using customer personally identifiable information to provide services, yet failed to invest proportionally in protecting that valuable data. | high |
| 03 | Comcast calculated that implementing cheaper, ineffective security measures would increase corporate profit, prioritizing financial gain over the foreseeable harm to hundreds of thousands of customers. | high |
| 04 | The corporation obtained customer data as a condition of service, profited from that data through business operations, but did not fully compensate customers for the value their information provided when it failed to secure it properly. | medium |
| 05 | Comcast failed to implement basic security practices that experts recommend, including employee education, strong passwords, multilayer security, firewalls, anti-virus software, encryption, multi-factor authentication, and limiting employee access to sensitive data. | medium |
| 06 | The company chose not to invest in regular database scanning, penetration testing, security audits, or automated security monitoring that could have detected the breach when it began or prevented it entirely. | medium |
Economic Fallout
The True Cost to Victims · 8 points
| 01 | Affected customers now face credit monitoring and identity theft protection costs of approximately $200 per year for a minimum of five years, costs they would not have to bear but for Comcast’s failure to safeguard their information. | high |
| 02 | Victims have lost the value of their personally identifiable information, which has a market value ranging from $40 to $200 on the dark web and can sell for up to $363 per record according to cybersecurity experts. | high |
| 03 | Customers suffered damages from the diminution in value of their data, as the personally identifiable information is now readily available to criminals, and the rarity and exclusivity of the data has been permanently lost. | high |
| 04 | Affected individuals have spent and will continue to spend considerable time monitoring accounts, reviewing credit reports, contacting credit bureaus to place freezes, changing passwords, and checking for fraudulent activity, representing lost time and productivity. | medium |
| 05 | The Government Accountability Office found that identity theft victims face substantial costs and time to repair damage to their good name and credit record, harms that can persist for years after a data breach. | medium |
| 06 | A study by the Identity Theft Resource Center shows that 80.7% of identity theft victims had to borrow money, 73.8% were generally inconvenienced, 55.7% missed time away from work, and 44.3% lost out on employment opportunities. | medium |
| 07 | Customers face imminent risk of fraud and identity theft for many years into the future, as law enforcement officials note that stolen data may be held up to a year or more before being used, and fraudulent use may continue for years once data is sold or posted online. | medium |
| 08 | The personally identifiable information stolen in this breach is significantly more valuable than payment card information because victims cannot simply cancel or close their Social Security numbers, which are impossible to change and remain vulnerable for life. | high |
Corporate Accountability Failures
How Comcast Evaded Responsibility · 8 points
| 01 | Comcast knew or should have known that institutions collecting and storing personally identifiable information are particularly susceptible to cyberattacks because of the value of such data, yet failed to take appropriate protective measures. | high |
| 02 | The company was fully aware of the sensitivity of customer data and the types of harm customers would suffer if information were wrongfully disclosed, yet breached its duty of care anyway. | high |
| 03 | Comcast made explicit promises in its Privacy Policy to follow industry-standard practices to secure collected information and prevent unauthorized access, use, or disclosure, but the data breach demonstrates these were empty promises. | high |
| 04 | The corporation stated publicly that strong cybersecurity is essential to privacy and that it works to protect customers with multiple layers of security, detecting and blocking hundreds of thousands of cyber events every second with a 24/7 security team, claims the breach proves were false. | high |
| 05 | Comcast breached express and implied contracts with customers by failing to safeguard their information and failing to provide timely and accurate notice that data was compromised in the breach. | medium |
| 06 | The company failed to properly monitor its own data security systems for existing intrusions, failed to detect the breach in a timely manner, and failed to act upon data security warnings and alerts promptly. | medium |
| 07 | Comcast disregarded customer rights by intentionally, willfully, recklessly, or negligently failing to ensure FBCS had adequate safeguards in place to protect information after it was transferred to the debt collector. | medium |
| 08 | The telecommunications giant failed to implement processes that would detect a compromise of personally identifiable information in a timely manner, allowing the breach to continue undetected for an extended period. | medium |
The PR Machine
Damage Control Over Disclosure · 5 points
| 01 | Comcast’s breach notification letter omitted critical details including the root cause of the breach, the specific vulnerabilities exploited, and the remedial measures undertaken to ensure such a breach does not occur again. | high |
| 02 | The notice provided no real disclosure at all, failing to inform customers with any degree of specificity about the breach’s critical facts, severely diminishing victims’ ability to mitigate resulting harms. | high |
| 03 | Comcast learned of the data breach on March 13, 2024, but FBCS did not notify Comcast that customer data was impacted until July 17, 2024, and Comcast did not begin sending notices to customers until August 16, 2024, a timeline suggesting deliberate delay. | high |
| 04 | The company’s notification strategy appears designed to shift blame to FBCS by emphasizing that the vendor experienced the breach, while minimizing Comcast’s own responsibility for choosing an inadequate vendor and failing to oversee its security practices. | medium |
| 05 | Comcast stated in its privacy materials that it believes strong cybersecurity is essential to privacy and takes responsibility for safeguarding personal information seriously, yet these public relations claims ring hollow in light of the massive breach. | medium |
Wealth Disparity
The Poor Pay When Corporations Fail · 6 points
| 01 | Many victims of this breach are lower-income or credit-constrained individuals who were behind on Comcast bills and subject to collection attempts, the very consumers least able to absorb the financial toll of identity theft. | high |
| 02 | The data breach intensifies existing inequality, as the burdens of corporate missteps fall disproportionately on financially vulnerable populations who now must pay for credit monitoring and spend hours protecting themselves from fraud. | high |
| 03 | While Comcast is a multibillion-dollar corporation with vast resources to fight litigation and absorb reputational damage, affected customers are regular people facing life-altering repercussions including time loss, stress, and ongoing vigilance that overshadows daily life. | medium |
| 04 | The complaint frames a classic imbalance where individual plaintiffs rely on statutory tools to champion consumer rights against a telecommunications giant that can afford costly discovery, prolonged legal battles, and extensive public relations campaigns. | medium |
| 05 | Victims may be deterred from applying for future credit, fearing their compromised information will be used against them, potentially hampering their ability to secure loans for education, housing, or medical needs. | medium |
| 06 | The system encourages large corporations to collect and retain as much personal data as possible for marketing, analytics, and enforcement purposes despite the risk and cost to the public when breaches inevitably occur. | medium |
Community Impact
Ripple Effects Beyond Direct Victims · 4 points
| 01 | Affected customers reported a spike in spam calls, text messages, and phishing emails following the breach, as cybercriminals use exposed information to target victims with scams designed to extract even more sensitive data. | medium |
| 02 | The breach erodes confidence in digital commerce, potentially harming even local businesses that rely on consumer trust as victims become skeptical about providing personal information to any entity. | medium |
| 03 | Victims suffer emotional distress, anxiety about personal financial security, sleep disruption, stress, fear, and frustration, injuries that go far beyond mere worry or inconvenience and represent real psychological harm. | medium |
| 04 | The unauthorized disclosure of personally identifiable information to strangers who likely have nefarious intentions creates ongoing anxiety for victims who fear criminals now have prime opportunities to commit identity theft, fraud, and other attacks. | medium |
The Bottom Line
A Preventable Disaster · 6 points
| 01 | Comcast could have prevented this data breach by properly securing customer information, ensuring vendor data security met industry standards, and requiring FBCS to delete sensitive information after it was no longer needed. | critical |
| 02 | The breach was reasonably foreseeable given the known high frequency of cyberattacks and data breaches at large corporations that collect and store personally identifiable information, making Comcast’s failure to prepare even more inexcusable. | high |
| 03 | Customers had no ability to protect their information once it was in Comcast’s and FBCS’s possession, and Comcast was in a position to protect against the harm but chose not to invest in adequate safeguards. | high |
| 04 | The present and continuing risk to victims of the data breach will remain for their respective lifetimes, as Social Security numbers and birthdates cannot be changed and will forever be vulnerable to criminal exploitation. | critical |
| 05 | Comcast’s conduct demonstrates how large corporations externalize risk by hiring third-party vendors while the actual costs of a breach fall most heavily on individual consumers whose data is compromised. | high |
| 06 | This data breach exemplifies a pattern where corporate convenience and profit maximization overshadow the need to safeguard consumer data, a predictable outcome within an economic system that largely relies on self-regulation and cost-benefit analyses to drive compliance. | high |
Timeline of Events
February 14, 2024
Unauthorized access to FBCS systems begins
February 26, 2024
FBCS discovers the unauthorized access and security breach
March 13, 2024
FBCS notifies Comcast of the data breach but claims Comcast customer data is not impacted
April 26, 2024
FBCS publicly announces the data breach
July 17, 2024
FBCS informs Comcast that Comcast customer data was actually impacted in the breach
August 16, 2024
Comcast begins sending breach notification letters to affected customers
October 3, 2024
Comcast files notice with Maine Attorney General confirming 237,703 individuals were affected
October 8, 2024
Plaintiff Monica Thomas files class action lawsuit in Eastern District of Pennsylvania
Direct Quotes from the Legal Record
QUOTE 1
Comcast’s Public Privacy Promise
allegations
“Your privacy matters to us. We know you rely on us to stay connected to the people and things you care about most. And your privacy is essential when you use our products and services. That’s why we’re always working to keep your personal information secure and put you in control of it.”
💡 This public promise from Comcast’s website shows the company understood its duty to protect customer data, making its failure to do so even more egregious.
QUOTE 2
Cybersecurity Claims Proven False
pr_machine
“We believe strong cybersecurity is essential to privacy. We help protect you with multiple layers of security that automatically detect and block hundreds of thousands of cyber events every second and a team of security experts who work to protect you 24 hours a day, 365 days a year.”
💡 Comcast explicitly promised round-the-clock protection from cyber threats, a promise the massive data breach proves was hollow marketing language rather than operational reality.
QUOTE 3
Scope of Data Protection Duty
accountability
“We follow industry-standard practices to secure the information we collect to prevent the unauthorized access, use, or disclosure of any personal information we collect and maintain. These security practices include technical, administrative, and physical safeguards, which may vary, depending on the type and sensitivity of the information.”
💡 Comcast’s own privacy policy establishes that the company committed to following industry standards to protect customer information, standards it admittedly failed to meet.
QUOTE 4
Admission of Unencrypted Data
allegations
“Defendants failed to adequately protect Plaintiff’s and Class Members’ PII and failed to even encrypt or redact this highly sensitive information. This unencrypted, unredacted PII was compromised due to Defendants’ negligent and/or careless acts and omissions and their utter failure to protect their customers’ sensitive data.”
💡 This shows Comcast did not even take the basic step of encrypting Social Security numbers and other highly sensitive data before sharing it with a third-party vendor.
QUOTE 5
Notification Delay Admission
pr_machine
“On March 13, 2024, FBCS notified Comcast that it had experienced a data breach incident, but that Comcast consumer data was not impacted. However, on July 17, 2024, FBCS notified Comcast of its new finding that Comcast data was impacted.”
💡 Comcast learned of the breach in March but did not notify customers until August, leaving victims vulnerable to identity theft for months while unaware their information had been stolen.
QUOTE 6
Data Retained Beyond Business Need
allegations
“FBCS received your information because they previously provided Comcast with collections-related services for delinquent payments until 2020, when Comcast ceased working with FBCS. The compromised information about you dates from around 2021, as FBCS is subject to data retention requirements beyond Comcast’s working relationship with FBCS.”
💡 Comcast allowed a debt collector to retain sensitive customer data for years after their business relationship ended, unnecessarily exposing former customers to risk.
QUOTE 7
Total Victims Across All FBCS Clients
economic
“In a filing with the Office of the Maine Attorney General, FBCS confirms that the PII of 4,253,394 individuals was exposed by the Data Breach.”
💡 This shows the massive scale of the breach affecting more than 4.2 million people, demonstrating how one vendor’s security failure can harm millions across multiple corporations.
QUOTE 8
Comcast-Specific Victim Count
economic
“On October 3, 2024, Comcast filed a notice with the Maine Attorney General confirming that 237,703 individuals impacted by the FBCS data breach were related to the Comcast portion of the breach.”
💡 This official filing confirms that nearly a quarter million Comcast customers had their sensitive personal information exposed due to the company’s failures.
QUOTE 9
Types of Compromised Information
allegations
“According to the Comcast Notice, the PII involved in the Data Breach may include Plaintiff’s and Class Members’ name, address, Social Security number, date of birth, Comcast account number, and ID numbers used internally at FBCS.”
💡 The breach exposed the exact combination of information criminals need to steal identities, open fraudulent accounts, and cause lasting financial harm to victims.
QUOTE 10
Dark Web Value of Stolen Data
economic
“PII can be sold at a price ranging from $40 to $200. Criminals can also purchase access to entire company data breaches from $900 to $4,500.”
💡 This demonstrates the significant black market value of the stolen information, proving that cybercriminals had strong financial incentives to exploit the breach.
QUOTE 11
Identity Theft Protection Costs
economic
“The retail cost of credit monitoring and identity theft monitoring can cost around $200 a year per Class Member. This is a reasonable and necessary cost to monitor and protect Class Members from the risk of identity theft that arose from the Data Breach. This is a future cost, for a minimum of five years, that Plaintiff and Class Members would not need to bear but for Defendants’ failure to safeguard their PII.”
💡 Victims now face $1,000 in credit monitoring costs over five years, expenses they would never have incurred if Comcast had properly protected their information.
QUOTE 12
Lifetime Risk to Victims
conclusion
“The present and continuing risk to victims of the Data Breach will remain for their respective lifetimes. Once PII is stolen—particularly Social Security numbers—fraudulent use of that information and damage to victims may continue for years.”
💡 Unlike stolen credit cards that can be cancelled, Social Security numbers cannot be changed, meaning victims face permanent vulnerability to identity theft for the rest of their lives.
QUOTE 13
Government Warning About Delayed Fraud
economic
“Law enforcement officials told us that in some cases, stolen data may be held for up to a year or more before being used to commit identity theft. Further, once stolen data have been sold or posted on the Web, fraudulent use of that information may continue for years. As a result, studies that attempt to measure the harm resulting from data breaches cannot necessarily rule out all future harm.”
💡 This government finding proves that the harm from this breach may not surface for years, meaning victims cannot yet know the full extent of damage they will suffer.
QUOTE 14
Comparative Value of Stolen PII
economic
“Compared to credit card information, personally identifiable information is worth more than 10x on the black market. The information compromised in this Data Breach—names and Social Security numbers—is impossible to close and difficult, if not impossible, to change.”
💡 This explains why the stolen information is far more dangerous than a typical payment card breach, as victims cannot simply cancel their Social Security numbers the way they would a credit card.
QUOTE 15
FTC Requirements Comcast Ignored
regulatory
“The FTC recommends that companies not maintain PII longer than is needed for authorization of a transaction, limit access to sensitive data, require complex passwords to be used on networks, use industry-tested methods for security, monitor the network for suspicious activity, and verify that third-party service providers have implemented reasonable security measures.”
💡 Federal regulators have clearly spelled out what companies must do to protect data, making Comcast’s failure to follow these guidelines particularly inexcusable and potentially illegal.
Frequently Asked Questions
What information did Comcast lose in the data breach?
The breach exposed customer names, home addresses, Social Security numbers, dates of birth, Comcast account numbers, and internal FBCS identification numbers. This is the exact combination of information identity thieves need to open fraudulent accounts, file false tax returns, and cause serious financial harm.
How many people were affected by this breach?
At least 237,703 Comcast customers were affected. The overall FBCS breach impacted more than 4.2 million individuals across all of the debt collector’s clients. Comcast filed official notice with the Maine Attorney General confirming these numbers in October 2024.
When did the data breach happen and when were customers notified?
Unauthorized actors accessed FBCS systems between February 14 and February 26, 2024. Comcast learned of the breach on March 13, 2024, but did not begin notifying affected customers until August 16, 2024, a delay of more than five months during which victims remained unaware and vulnerable.
What is Comcast accused of doing wrong?
The lawsuit alleges Comcast failed to properly vet the data security practices of FBCS, a debt collection vendor, before sharing customer information. Comcast also failed to encrypt sensitive data, allowed FBCS to retain old customer information years after their business relationship ended, and violated federal laws including the Federal Trade Commission Act and the Cable Communications Policy Act.
Why was FBCS still holding Comcast customer data?
Comcast stopped working with FBCS in 2020, but FBCS continued to retain customer data from around 2021. The lawsuit argues this violated data minimization principles, which require companies to delete personal information once it is no longer needed for a legitimate business purpose. Keeping outdated customer files created unnecessary risk.
What can victims do to protect themselves now?
Affected individuals should immediately place fraud alerts or credit freezes with all three major credit bureaus, monitor bank and credit card statements for unauthorized charges, review credit reports for fraudulent accounts, consider signing up for identity theft protection services, and be extremely wary of any unsolicited calls or emails asking for personal information, as criminals may use the stolen data for targeted phishing attacks.
How much could this breach cost victims?
Credit monitoring and identity theft protection services cost approximately $200 per year. For a minimum of five years of protection, victims face $1,000 in costs they would not have incurred if Comcast had properly secured their information. This does not include time lost to monitoring accounts, dealing with fraudulent charges, or repairing credit damage from identity theft.
Can I change my Social Security number after this breach?
No. Unlike credit card numbers that can be cancelled and reissued, Social Security numbers are permanent identifiers that are extremely difficult to change. This is why the theft of Social Security numbers is so serious. Victims face a lifetime risk of criminals using their compromised Social Security numbers for fraud.
What laws did Comcast allegedly violate?
The lawsuit claims Comcast violated Section 5 of the Federal Trade Commission Act by failing to use reasonable security measures, which is considered an unfair trade practice. For customers who subscribed to Xfinity cable services, the complaint also alleges violations of the Cable Communications Policy Act, which requires cable operators to prevent unauthorized access to subscriber information.
What is the plaintiff asking the court to do?
The lawsuit seeks damages for all affected customers, injunctive relief requiring Comcast to implement better data security practices and vendor oversight, mandatory security audits, continued credit monitoring for all class members, and statutory damages under the Cable Communications Policy Act which allows $1,000 or $100 per day of violation, whichever is greater.
political prosecution cases can be a nightmare for prosecutors. Almost makes me feel sorry for Congress.
💡 Explore Corporate Misconduct by Category
Corporations harm people every day — from wage theft to pollution. Learn more by exploring key areas of injustice.
- 💀 Product Safety Violations — When companies risk lives for profit.
- 🌿 Environmental Violations — Pollution, ecological collapse, and unchecked greed.
- 💼 Labor Exploitation — Wage theft, worker abuse, and unsafe conditions.
- 🛡️ Data Breaches & Privacy Abuses — Misuse and mishandling of personal information.
- 💵 Financial Fraud & Corruption — Lies, scams, and executive impunity.
