WASHINGTON—The Federal Communications Commission’s Enforcement Bureau said it has entered into a consent decree with Comcast calling for the cable company to make a voluntary payment of $1.5 million fine for vendor data breach that exposed the personal information of some 237,000 customers.
The decree resolves the Enforcement Bureau’s investigation into whether Comcast Cable Communications, LLC violated sections of the Cable Communications Policy Act of 1984 in connection with a breach by a now-defunct debt-collection agency that compromised the personal information of Comcast cable subscribers.
Under the consent decree, Comcast agreed to pay a $1.5 million “voluntary contribution” and implement a compliance plan that includes, among other things, improved vendor oversight practices related to customer privacy and information protection.
In a statement sent to TV Tech, Comcast said: "Comcast was not responsible for and has not conceded any wrongdoing in connection with this incident. The matter involved a former vendor, FBCS, which has not provided services to Comcast since 2022. No Comcast systems were compromised, and FBCS was required to comply with our comprehensive vendor security requirements. We remain committed to continually strengthening our cybersecurity policies and protections to safeguard customer data.”
The case involved a now-bankrupt company, Financial Business and Consumer Solutions (FBCS), which provided debt-collection services to Comcast between from 2010 to 2022. Those services gave FBCS access to some customer information.
Comcast notified FBCS in 2020 that it was terminating the parties’ agreement and stopped referring new accounts to FBCS for debt-collection services. FBCS ceased all work for Comcast in 2022, when the cable operator recalled the final accounts.
The consent decree notes that between Feb. 14 and Feb. 26, 2024, hackers illegally accessed the FBCS network without authorization, exposing the private information of 237,702 current and former Comcast customers. That information included first names or first initial and last names, addresses, Social Security numbers, dates of birth, Comcast account numbers, internal Comcast ID numbers, and internal FBCS ID numbers.
FBCS first informed Comcast of the breach on July 15, 2024. FBCS filed for bankruptcy before notifying state authorities that the FBCS breach impacted the cable operator’s current and former customers. Comcast notified customers and state authorities of the problem.
As part of the consent decree, Comcast agreed to hire a compliance officer to implement a compliance plan and procedures to improve security.
More information and the complete Consent Decree is available here.
