Comcast alerts millions of subs to data breach

Comcast said Monday it was notifying customers about a "recent data security incident" stemming from a vulnerability in Citrix software used by the cable operator that exposed certain customer information, including usernames, dates of birth and the last four digits of social security numbers.

In the wake of it, Comcast is requiring customers to reset their passwords and recommending that customers enable two-factor or multi-factor authentication to secure their Xfinity account. Comcast is also recommending that customers change passwords for other accounts for which they use the same username and password or security question. Comcast also pointed out that customers can place a security freeze on their credit reports free of charge.

On October 10, cybersecurity specialist Citrix announced a vulnerability in software that Comcast and thousands of other companies use worldwide and issued more guidance on the issue on October 23. That vulnerability is being widely referred to as "Citrix bleed."

Comcast said it promptly patched and mitigated the Citrix vulnerability within its systems. However, the company discovered suspicious activity during a "routine cybersecurity exercise" on October 25 and determined that there was unauthorized access to its internal systems between October 16-19.

Comcast said it concluded that the unauthorized access was traced to the Citrix vulnerability.

Customer data 'likely acquired'

According to AP, a filing with Maine's office of the attorney general noted that nearly 35.9 million people were affected by the breach, a number that represents individual user IDs. Comcast ended Q3 with about 32.28 million broadband subs, comprised of 29.77 million residential subs and 2.5 million business customers.

Comcast notified federal law enforcement and started an investigation into the nature and scope of the incident and, on November 16, determined that "information was likely acquired."

Comcast said the information in-scope included usernames and "hashed" passwords, which turn plain text passwords into a series of unintelligible numbers and letters. Other information, such as names, contact information, the last four digits of social security numbers, dates of birth and/or secret questions and answers, might also have been included, Comcast said, stressing that its data analysis is continuing.

"We are not aware of any customer data being leaked anywhere, nor of any attacks on our customers," a Comcast official told The Verge. "We take the responsibility to protect our customers very seriously and have our cybersecurity team monitoring 24x7."

Several US service providers, including Dish Network, AT&T, Verizon and T-Mobile  have grappled with cybersecurity incidents in recent years.

In July, the Biden administration released a National Cybersecurity Strategy that included increasing incentives to favor long-term investments into cybersecurity.  Additionally, the FCC has proposed the use of a new security labeling program that includes a 'Cyber Trust Mark' to identify IoT products and devices that meet a baseline set of security standards.