Comcast Sold You a Privacy Promise. Then They Handed Your Social Security Number to a Debt Collector and Looked the Other Way.
237,703 Xfinity customers had their names, Social Security numbers, dates of birth, and home addresses stolen in a cyberattack on FBCS β a debt collection agency Comcast stopped using in 2020. The data wasn’t deleted. The vendor wasn’t vetted. The customers weren’t warned for months. A federal class action filed October 8, 2024 says this was negligence, breach of contract, and a violation of federal cable privacy law.
TL;DR
- Comcast handed Social Security numbers, dates of birth, home addresses, and account numbers for hundreds of thousands of customers to FBCS, a debt collection agency, and failed to verify that FBCS had any adequate data security in place.
- Hackers broke into FBCS’s systems between February 14 and February 26, 2024, exposing the personal data of 4,253,394 people total. Of those, 237,703 were Comcast customers.
- Comcast learned of the breach at FBCS on March 13, 2024. They did not notify their own customers until August 16, 2024 β five months later β and only after FBCS told Comcast on July 17 that Comcast customer data was specifically impacted.
- The data Comcast handed to FBCS was never encrypted or redacted. It sat on FBCS’s servers completely unprotected, years after Comcast stopped working with FBCS in 2020.
- The stolen data β Social Security numbers especially β cannot be “cancelled” like a credit card. Victims face identity theft risk for the rest of their lives, with fraudulent use potentially going undetected for years.
- The class action lawsuit (Thomas v. Comcast Cable Communications LLC, et al.) alleges negligence, breach of express and implied contract, unjust enrichment, and violations of the federal Cable Communications Policy Act, which carries statutory damages of at least $1,300 per subscriber per violation.
- Comcast’s privacy policy on Xfinity.com promised customers it used “multiple layers of security” and worked “24 hours a day, 365 days a year” to protect their data. The complaint says this was a lie in practice.
Comcast’s own notice letter β the one they sent victims β openly admits the data that was stolen dates from “around 2021,” years after Comcast says it stopped using FBCS. That letter is described in full in Legal Receipts.
The Non-Financial Ledger: What This Breach Actually Costs a Real Person
Monica Thomas is a woman from Colbert County, Alabama who signed up for Comcast’s internet service. She gave them what they asked for: her name, her date of birth, her Social Security number, her home address. She paid her bill, or she didn’t, and at some point her account went to collections. That’s how her most sensitive information ended up at a debt collection agency called FBCS. That’s how it ended up in a hacker’s hands.
At no point did Monica Thomas agree to have her Social Security number stored, unencrypted, on the servers of a company Comcast had stopped using four years earlier. She had no idea that data was still sitting there. She had no say in it. She had no way to protect it.
When the breach was discovered in February 2024, she was not told. When FBCS informed Comcast in March 2024, she was not told. She found out in August 2024, six months after her information had already been sitting in criminal hands. The lawsuit describes her life in the aftermath: monitoring credit reports, watching for fraudulent charges, fielding a spike in scam calls and phishing texts, losing sleep, feeling anxious. That anxiety is not abstract. It is the feeling of knowing that someone, somewhere, has the key to your financial life, and there is nothing you can do to take it back.
A Social Security number is not like a credit card number. You cannot cancel it. You cannot get a new one easily. The damage it enables β fake tax filings, fraudulent unemployment claims, loans opened in your name, medical debt attached to your identity, bank accounts created without your knowledge β can surface years later, long after you’ve forgotten to keep checking. The U.S. Government Accountability Office has confirmed that stolen data can sit dormant for over a year before it’s used. That means every one of the 237,703 people affected by this breach must live in a state of low-grade financial vigilance for an indefinite period of their lives, because Comcast couldn’t be bothered to check whether the debt collector they were handing private data to had a functioning security system.
The FTC estimates the retail cost of credit and identity theft monitoring at around $200 per year. The lawsuit projects a minimum of five years of such monitoring for each affected person. That’s $1,000 per victim, out of pocket, for a mess they did not create. Multiply that by 237,703 people, and you are looking at nearly a quarter of a billion dollars in monitoring costs that Comcast’s negligence imposed on its own customers β people who were already paying Comcast for a service that came with an explicit promise to keep their data safe.
That promise was on Xfinity’s website. It said: “Your privacy matters to us.” It said Comcast worked “24 hours a day, 365 days a year” to protect customers from exactly this kind of attack. It said Comcast followed “industry-standard practices” with “technical, administrative, and physical safeguards.” What it did not say was that Comcast was transferring Social Security numbers to outside vendors without verifying those vendors could actually protect the data, and leaving that data there years after the vendor relationship ended.
β Complaint, Thomas v. Comcast Cable Communications LLC, Case No. 2:24-cv-05403
Legal Receipts: What the Documents Actually Say
These are direct quotes from the court filing and the official breach disclosures. They are not allegations. They are statements of documented fact and corporate admission, pulled verbatim from the source material.
“On March 13, 2024, FBCS notified Comcast that it had experienced a data breach incident, but that Comcast consumer data was not impacted. However, on July 17, 2024, FBCS notified Comcast of its new finding that Comcast data was impacted.”
β Comcast Notice Letter, as quoted in the Complaint
- This proves Comcast knew about the breach at FBCS for over four months before it acknowledged its own customers were affected. During that window β March 13 to July 17 β customers had zero information and could take no protective action.
- The gap between FBCS’s first notification (“no Comcast data impacted”) and the correction (“actually, Comcast data was impacted”) is itself a damning failure: either FBCS didn’t know whose data was on its own servers, or it was slow to disclose. Either way, Comcast accepted that explanation and did not investigate independently.
“FBCS received your information because they previously provided Comcast with collections-related services for delinquent payments until 2020, when Comcast ceased working with FBCS. The compromised information about you dates from around 2021, as FBCS is subject to data retention requirements beyond Comcast’s working relationship with FBCS.”
β Comcast Notice Letter, as quoted in the Complaint
- Comcast stopped working with FBCS in 2020. The stolen data dates from 2021. This means customer Social Security numbers, home addresses, and dates of birth were sitting on a third-party debt collector’s servers β unencrypted β for years after Comcast ended the business relationship, and Comcast either did not know or did not care.
- The phrase “FBCS is subject to data retention requirements” is Comcast shifting responsibility onto the vendor. The lawsuit argues that Comcast had an independent duty to ensure those retention practices were secure, and that it failed to exercise that duty entirely.
“We help protect you with multiple layers of security that automatically detect and block hundreds of thousands of cyber events every second and a team of security experts who work to protect you 24 hours a day, 365 days a year.”
β Xfinity Privacy Center, as quoted in the Complaint
- This marketing language described Comcast’s own internal systems. It said nothing about what security standards the company demanded from the third-party vendors it handed your Social Security number to. The lawsuit treats the gap between this promise and the reality at FBCS as the core of the breach of contract claim.
- The promise was used to establish that customers had a reasonable expectation their data would be protected in line with industry standards β and that Comcast knew it was making that promise every time a customer signed up.
“On February 26, 2024, FBCS discovered unauthorized access to certain systems in its network… The investigation determined that the environment was subject to unauthorized access between February 14 and February 26, 2024, and the unauthorized actor had the ability to view or acquire certain information on the FBCS network during the period of access.”
β FBCS Notice of Data Event, Office of the Maine Attorney General, as quoted in the Complaint
- Twelve days of open access to systems containing 4.25 million people’s unencrypted personal records. The filing with the Maine Attorney General is a legally required disclosure, meaning these facts were confirmed by the company itself under legal obligation, not merely alleged by the plaintiff.
- FBCS discovered the breach on February 26 but did not notify consumers until April 26 β a full two months of silence, during which stolen data could already be circulating on criminal markets.
β Complaint, ΒΆ9
Societal Impact Mapping: The Damage Goes Beyond One Person’s Credit Score
Public Health: Anxiety, Sleeplessness, and the Cost of Constant Vigilance
Identity theft does not just drain bank accounts. The psychological burden of living with stolen data is documented, ongoing, and entirely imposed on victims through no fault of their own.
- The named plaintiff, Monica Thomas, reports anxiety, sleep disruption, stress, fear, and frustration as direct results of the breach. These are not metaphors. The lawsuit explicitly states these “injuries go far beyond allegations of mere worry or inconvenience.”
- The ongoing fear of financial harm is clinically documented as a source of chronic stress. For 237,703 people, that stress was activated not by their own financial decisions but by Comcast’s failure to vet a vendor or encrypt a spreadsheet.
- Victims must now actively monitor their credit reports, freeze and unfreeze credit accounts, change passwords, re-secure personal devices, and respond to escalating spam calls and phishing messages β all unpaid labor that takes time away from work, family, and rest.
- The stolen data includes Social Security numbers, which are the gateway to medical identity theft. A fraudster with your SSN can file medical claims in your name, leaving you with insurance rejections, billing disputes, and corrupted medical records. This is a direct public health risk that may go undetected for years.
- The Identity Theft Resource Center and the U.S. GAO both confirm that fraud arising from breaches can go undetected for one to several years. This means victims cannot fully relax their vigilance. That sustained state of alert has real health consequences.
Economic Inequality: Who Pays When a Corporation Fails
The financial costs of this breach fall entirely on the people who had the least power in this situation: customers who needed internet service and had no way to know their data was being mishandled.
- Credit and identity theft monitoring costs approximately $200 per year per person. At a minimum five-year monitoring period recommended by the lawsuit, each of the 237,703 victims is looking at $1,000 in out-of-pocket costs. That is money Comcast’s negligence imposed on them.
- The aggregate projected monitoring cost across all 237,703 affected customers approaches $237 million. Comcast’s annual revenue was over $121 billion in 2022. The company saved money by not adequately vetting its vendor; customers are now paying that bill.
- A stolen Social Security number can be used to open fraudulent credit accounts, file fake unemployment claims, and take out loans. When those debts are traced back to the victim, they face collection calls, damaged credit scores, and years of disputes β compounding debt and financial stress they did nothing to create.
- People with lower incomes are disproportionately harmed by identity theft because they have fewer resources to fight it: fewer attorneys on retainer, less time to spend navigating credit bureau disputes, less access to premium monitoring services, and less financial cushion to absorb the costs of fraud before it’s corrected.
- The data brokering industry was worth approximately $200 billion in 2019. The stolen PII from this breach has inherent market value. That value was transferred from victims to criminals β without consent, without compensation, and without any mechanism for victims to recover it.
- Dark web pricing for the kind of complete identity package (“Fullz”) made possible by this breach β name, SSN, date of birth, address, account number β can exceed $100 per record. Criminals profited. Comcast profited from not spending adequately on security. Victims paid the bill in time, money, and stress.
β Martin Walter, Senior Director, cybersecurity firm RedSeal, as cited in the Complaint
The “Cost of a Life” Metric
The lawsuit seeks at least $1,300 in statutory damages per subscriber per violation of the Cable Communications Policy Act. Below is what that number means in human terms.
Minimum statutory damages sought per Comcast customer per violation under 47 U.S.C. Β§ 551 of the Cable Communications Policy Act. Multiplied across 237,703 customers, the floor of statutory exposure for Comcast exceeds $308 million.
Meanwhile, each affected customer faces up to $1,000 in out-of-pocket credit monitoring costs over five years β a bill that lands on them, not Comcast.
Estimated retail cost of credit and identity theft monitoring per victim. The lawsuit projects a minimum five-year monitoring period per person. Total projected monitoring burden across all 237,703 affected customers: approximately $237 million β paid by the victims.
Comcast’s 2022 annual revenue: over $121 billion. The cost of adequate vendor security vetting: a rounding error on that number.
Maximum dark web price per stolen identity record of the type exposed in this breach (name, SSN, DOB, address, account details), according to the Infosec Institute. The “Fullz” package assembled from this breach data can be sold, resold, and used for crimes spanning tax fraud, bank fraud, medical identity theft, and loan applications β for years.
Your Social Security number cannot be cancelled. It travels with you for life. So does the risk created by this breach.
What Now? The Watchlist and Your Next Steps
The lawsuit is filed. The regulatory bodies are named. The corporate chain that failed 237,703 people is documented. Here is where accountability must come from, and what you can do right now.
The Corporate Decision-Makers
The source documents do not name individual executives by name in the context of this specific negligence. The entities legally responsible, as named in the complaint, are:
- Comcast Corporation β Pennsylvania corporation, headquartered at 1701 JFK Boulevard, Philadelphia, PA 19103. The parent entity.
- Comcast Cable Communications LLC β The subsidiary directly providing Xfinity cable, internet, and voice services. Wholly owned by Comcast Corporation.
- FBCS (Financial Business and Consumer Solutions) β Nationally licensed debt collection agency whose failure to secure its systems is the proximate cause of the breach. Not a defendant in this filing, but named throughout as the entity that failed to protect the data Comcast handed it.
The Regulatory Watchlist
- Federal Trade Commission (FTC): The complaint explicitly invokes Section 5 of the FTC Act (15 U.S.C. Β§ 45), which prohibits unfair or deceptive practices including failure to maintain reasonable data security. The FTC has enforcement authority and has previously brought actions against companies for exactly this type of negligence. File a complaint at ftc.gov/complaint.
- Federal Communications Commission (FCC): Comcast operates as a cable operator and internet provider subject to FCC oversight. The Cable Communications Policy Act violation alleged in the suit (47 U.S.C. Β§ 551) falls within FCC jurisdiction. File at fcc.gov/consumers/guides/filing-informal-complaint.
- Office of the Maine Attorney General: Already the recipient of FBCS’s and Comcast’s mandatory breach disclosures. State AG offices have data breach enforcement authority and public records of these filings are already available. maine.gov/ag.
- Consumer Financial Protection Bureau (CFPB): Debt collection practices and data security failures that lead to identity theft and financial harm are within CFPB jurisdiction. File a complaint at consumerfinance.gov/complaint.
- Your State Attorney General: Every state has consumer protection and data breach notification laws. If Comcast failed to notify you within your state’s required timeframe, your AG has jurisdiction. Find your AG at naag.org.
If You Were Affected: Specific Actions to Take Now
- Place a credit freeze at all three major bureaus β Equifax, Experian, and TransUnion β immediately. This is free by law and prevents new accounts from being opened in your name. A credit freeze is stronger than a fraud alert.
- Request your free credit reports at annualcreditreport.com and review every account listed. Look for accounts you did not open, addresses you never lived at, and employers you never worked for.
- File an identity theft report at identitytheft.gov (the FTC’s official portal) if you find any evidence of fraudulent activity. This report gives you legal rights to correct fraudulent records.
- Register for the class action: Monitor ClassAction.org and follow the case Thomas v. Comcast Cable Communications LLC (Case No. 2:24-cv-05403, Eastern District of Pennsylvania) for updates on how to join the class as a member.
- Document everything: Keep a log of every spam call, phishing text, fraudulent account, and hour you spend addressing this breach. Time spent is a compensable injury recognized in the lawsuit.
- Contact a mutual aid network in your community if identity theft has caused immediate financial harm. Organizations like the National Foundation for Credit Counseling (nfcc.org) provide free or low-cost assistance with credit repair and debt disputes caused by fraud.
- Organize locally: If you know others affected by this breach, connect with local consumer advocacy groups, tenant organizations, and community legal aid offices. Collective action at the local level amplifies pressure on regulators and makes class action participation more accessible for people who can’t afford private counsel.
The source document for this investigation is attached below.
political prosecution cases can be a nightmare for prosecutors. Almost makes me feel sorry for Congress.
Explore by category
Product Safety Violations
When companies sell dangerous goods, consumers pay the price.
View Cases →Financial Fraud & Corruption
Lies, scams, and executive impunity that distort markets.
View Cases →
