Media company Comcast has agreed to pay a USD 1.5 million fine after a vendor data breach exposed information belonging to thousands of its customers. The breach occurred within the systems of Financial Business and Consumer Solutions, a debt collection agency that had previously handled customer accounts for Comcast. The vendor experienced an intrusion in February 2024, which allowed attackers to access files containing personal information. The exposed data included names, addresses, dates of birth, Social Security numbers, and internal account numbers used by Comcast.
Comcast said that its own systems were not compromised. The breach was limited to data stored by the vendor. The company had ended its relationship with the vendor in 2022, but the vendor continued to hold customer data that should have been deleted. The intrusion was reported to Comcast in July 2024, several months after it occurred. By the time of the disclosure, the vendor had filed for bankruptcy, which further complicated the response. Regulators determined that customer data had not been removed from the vendor’s environment despite the end of the business relationship.
The Federal Communications Commission announced the settlement and said that Comcast must implement stronger oversight of third-party service providers that handle customer records. Under the terms of the settlement, Comcast will appoint a compliance officer responsible for monitoring vendor data practices. The company will also carry out regular audits of vendors and submit compliance reports to the regulator every six months for three years. In addition, Comcast must ensure that customer data is deleted when it is no longer required for business purposes.
The breach affected about 237,000 current and former customers. The compromised records came from Comcast services, including internet, television, and home security. The exposed information could allow malicious actors to engage in identity theft, create fraudulent accounts, or attempt targeted scams. Comcast has contacted affected individuals and advised them to monitor their accounts for suspicious activity. It has also warned customers not to respond to unsolicited messages requesting personal details or payment.
Comcast said that it accepted the terms of the settlement but did not admit wrongdoing. The company stated that it is committed to improving vendor management and protecting customer data. The incident has prompted a review of how data is handled once it is transferred to external service providers. Comcast said that it is updating its internal policies to require stronger verification that vendors delete customer information when contracts end.
The case highlights the risks associated with third-party data storage. Even when a company maintains strong security controls on its own systems, customer information stored by external vendors can be exposed if those vendors fail to implement adequate protections. Regulators have encouraged companies to set clear requirements for vendors, including regular audits and documented data deletion procedures. Failure to do so can result in fines, loss of customer trust, and long-term reputational damage.
Customers whose information may have been exposed are encouraged to treat unexpected messages with caution and to continue monitoring financial accounts. Identity thieves may attempt to use exposed personal data to open accounts or impersonate victims. Customers can also consider using credit monitoring tools and placing fraud alerts on their credit files if they notice suspicious activity.
The settlement underscores the importance of strong oversight when customer information is shared with external organisations. Companies handling large volumes of personal data must ensure that all partners follow the same security standards. The consequences of a vendor breach can affect both customers and the company responsible for the data.