Comcast will pay a 1.5 million dollar civil fine after a vendor’s data breach exposed the personal information of more than 237,000 current and former customers, under a settlement with the U.S. Federal Communications Commission (FCC). The incident highlights how telecom and cable providers can be held liable for third party security failures when customer data is involved, even if their own core network is not directly hacked.
What Happened In The Vendor Breach
The breach traces back to Financial Business and Consumer Solutions (FBCS), a debt collection vendor that Comcast used until 2022. Attackers compromised FBCS systems in February 2024 and accessed files containing names, addresses, dates of birth, Social Security numbers, and Comcast account numbers for affected subscribers. FBCS initially told Comcast in March 2024 that its customers were not impacted, but later disclosures showed that roughly 273,000 Comcast customers were in fact included in the compromised data set.
Details Of The FCC Fine
The FCC investigation concluded that Comcast failed to ensure its vendor properly safeguarded and disposed of customer information, as required under federal communications privacy rules. Under the consent decree, Comcast agreed to pay 1.5 million dollars and accept a multi year compliance plan, without admitting wrongdoing, while the FCC closed its enforcement case. Regulators emphasized that the fine is intended to send a broader signal about robust oversight of third party vendors that handle large volumes of subscriber data.
Key Figures From The Case
| Item | Value / Description |
|---|---|
| Civil penalty amount | 1.5 million dollars |
| Comcast customers impacted | About 237,000–274,000 individuals |
| Overall FBCS breach victims | Roughly 4.2 million people total across clients |
| Breach window at vendor | February 14–26, 2024 |
| Year Comcast stopped using FBCS | 2022 |
New Compliance And Oversight Requirements
Beyond the fine, Comcast must implement a series of steps to strengthen vendor risk management and reporting. These include designating a dedicated compliance officer, conducting vendor risk assessments at least every two years, filing semiannual compliance reports with the FCC for three years, and promptly reporting any material violations within 30 days of discovery. The company is also required to make sure vendors dispose of customer data once it is no longer needed for business purposes, closing a gap that contributed to this incident.
SOURCE
Comcast’s Response And Customer Impact
Comcast has said that its own systems were not breached and that the exposure was confined to FBCS, which was already out of its vendor roster by the time of the attack. The company maintains that it does not accept legal responsibility for the incident but has notified affected customers and offered standard post breach support such as credit monitoring. For customers, the main risks are identity theft and fraud attempts based on stolen Social Security numbers and account identifiers, making credit freezes and close monitoring of financial statements especially important.
