In a recent disclosure, Comcast, one of the largest telecommunications providers in the U.S., has confirmed that cybercriminals have stolen sensitive personal data of over 230,000 customers in the wake of a ransomware attack targeting a third-party vendor. The breach is linked to Financial Business and Consumer Solutions (FBCS), a Pennsylvania-based debt collection agency that Comcast previously used for handling unpaid accounts.
A Timeline of the Incident
The breach stems from a February 2024 cyberattack on FBCS, which remained largely undisclosed for months. In a report filed with Maine’s Attorney General, Comcast stated that initially, in March, FBCS informed them that no Comcast customer data had been compromised in the attack. However, in a shocking turn of events, FBCS notified Comcast in July that sensitive customer information had indeed been accessed by cybercriminals. This notification came several months after the breach occurred, significantly delaying the response.
Comcast has now confirmed that the data breach affected 237,703 subscribers, with compromised information including names, addresses, Social Security numbers, dates of birth, and even specific Comcast account and identification numbers. These details belong to customers who had accounts “around 2021,” according to the filing. Interestingly, Comcast had ceased its relationship with FBCS back in 2020, raising concerns about data retention practices and the extended risks of working with third-party vendors.
How the Ransomware Attack Unfolded
Though FBCS has remained tight-lipped about the exact nature of the breach, Comcast’s filing reveals that the incident was part of a ransomware attack. According to the report, from February 14 to February 26, 2024, unauthorized attackers infiltrated FBCS’s computer network, downloading sensitive data and encrypting certain systems to demand a ransom. The cybercriminals reportedly exfiltrated this customer data as part of their operation.
At this time, no major ransomware groups have publicly claimed responsibility for the attack, and FBCS has yet to provide a comprehensive explanation. While the Federal Cybersecurity and Infrastructure Security Agency (FCEB) attributed the breach to an “unauthorized actor,” more details remain under wraps.
The Wider Impact of the FBCS Attack
The implications of this breach extend beyond Comcast’s customer base. In its own filing earlier this year, FBCS disclosed that more than four million individuals were impacted by the February attack, with personal information—including medical claims and health insurance details—being compromised. FBCS services numerous organizations, raising the stakes of this cyberattack.
CF Medical, a company that handles medical debt and operates under the trade name Capio, was one of the entities affected. In a statement released in September, CF Medical confirmed that over 620,000 individuals had their personal and health-related information stolen as a result of the FBCS breach. This includes a range of sensitive data, from names and Social Security numbers to details about specific medical claims.
Additionally, Truist Bank, one of the largest banking institutions in the U.S., was also hit by the FBCS ransomware attack. According to a recent filing with California’s Attorney General, Truist Bank confirmed that hackers accessed personal and financial details of an unspecified number of their 10 million customers. Data compromised includes names, addresses, account numbers, dates of birth, and Social Security numbers—further escalating the potential damage of this breach.
Comcast’s Response and What Comes Next
As Comcast scrambles to address this alarming breach, the company is taking steps to notify affected customers. However, the slow timeline between the initial breach and disclosure has raised questions about how these security incidents are being managed—not only by FBCS but also by organizations that rely on third-party vendors for sensitive data handling.
The broader fallout from this attack underscores a growing concern across industries: the security risks tied to outsourcing services like debt collection. As ransomware attacks continue to plague companies worldwide, businesses are being forced to reconsider the extent to which they entrust third-party vendors with their customers’ sensitive information.
With other organizations like CF Medical and Truist Bank affected by the same breach, the FBCS attack is emerging as one of the more significant data breaches of the year. Customers, healthcare providers, and financial institutions alike may face long-term consequences, including heightened risks of identity theft, fraud, and privacy violations.
For the 237,703 Comcast customers impacted, the road to recovery could be long, as they are urged to monitor their credit reports and personal accounts closely for signs of suspicious activity. With ongoing investigations, more details are expected to emerge, shedding further light on how this breach unfolded—and how other businesses can better protect their customers from similar attacks in the future.
In an increasingly interconnected world, this breach serves as a stark reminder of the vulnerabilities that accompany third-party partnerships, as well as the growing sophistication of ransomware threats.
