Customers Sue Comcast, Citrix for Data Breach
by Brian Eckert
Xfinity customers are suing Comcast and its software provider, Citrix, for allegedly failing to implement adequate data security practices and protect their sensitive personal information from an October 2023 data breach.
The class action seeks to establish nationwide and New Jersey classes based on claims of negligence, breach of contract, unjust enrichment, and state consumer protection law violations.
Citrix Vulnerability Blamed for Cyberattack
In mid-December, Comcast began sending customers a data breach notification informing them of “unauthorized access” to its internal systems based on a “vulnerability” in a Citrix product used by Xfinity.
A Comcast filing with the Maine Secretary of State indicates that more than 35 million Xfinity customers may have had their personal information stolen, including:
- Usernames and hashed passwords
- Names
- Contact information
- Last four digits of Social Security numbers
- Dates of birth
- Secret passwords and answers
The customer notice letter says that Comcast systems were breached between October 16 and October 19. But according to Milberg’s complaint, the notice omits “details of the root cause of the data breach, the vulnerabilities exploited, and the remedial measures undertaken to ensure such a breach does not occur again.”
Without these details, the lawsuit states, the ability of plaintiffs and class members to mitigate harms resulting from the data breach is “severely diminished.”
Defendants had a duty to adopt reasonable measures to protect the PII of plaintiffs and class members from involuntary disclosure to third parties. Moreover, Comcast had a duty to audit, monitor, and verify the integrity of its IT vendors and affiliates. Defendants have a legal duty to keep Comcast’s customers PII safe and confidential.
A report in Infosecurity Magazine suggests that the CVE-2023-4966 vulnerability may have been exploited, allowing cybercriminals to hijack user sessions.
Comcast said in a statement that it required customers to reset their passwords and strongly recommended they enable two-factor or multi-factor authentication.
Lawsuit Claims Comcast Did Not Follow Proper Security Protocols
Lead plaintiffs Brittany Hammond and Tamia Charles say that Comcast did not use “reasonable security procedures and practices” such as encrypting customers’ sensitive information and deleting it when it’s no longer needed. The plaintiffs also say that Comcast did not exercise due diligence when selecting IT vendors with whom it shared customer data.
They argue that Comcast and Citrix knew, or should have known, of the risk of cyberattack due to the increase in attacks targeting cable and software companies that collect and store customer information.
Cybersecurity firm Darktrace Federal told Axios that the telecom sector is “uniquely vulnerable to cyberattacks” due to the amount of outsourcing it does and the difficulty of completely vetting a new contractor’s security.
Affected Customers Face Identity Theft and Other Risks
Plaintiffs believe that their stolen data was sold on the dark web following the breach, which is the “modus operandi of cybercriminals that commit cyberattacks of this type.”
The complaint describes how criminals often purchase black market data and piece it together to develop “Fullz” packages that are used to perpetrate scams. Data breach victims can also be the unwitting recipients of targeted marketing.
“Simply put, unauthorized individuals can easily access the PII of Plaintiffs and Class Members,” the complaint says.
In addition, victims of the Comcast data breach will have to spend time and money to mitigate identity theft risks and face the diminished value of their PII.
Proposed Comcast Data Breach Class Members
The complaint, filed in U.S. District Court for the Southern District of Florida, lists two proposed classes:
- A Nationwide Class comprised of all individuals residing in the United States whose PII was accessed and/or acquired by an unauthorized party as a result of the data breach reported by Comcast in December 2023.
- A New Jersey Subclass consisting of all individuals residing in the state of New Jersey whose PII was accessed and/or acquired by an unauthorized party as a result of the data breach reported by Comcast in December 2023.
Any Comcast customer who received a data breach letter from Comcast or meets the above criteria may be automatically able to join this lawsuit. They will be represented by Milberg Partner Jonathan Cohen, who has spent his entire career prosecuting class action cases.
Since 1965, Milberg has filed thousands of class action lawsuits and recovered more than $50 billion for our clients.
