Media and technology colossus Comcast Xfinity confirmed a massive data breach exposing the personal and account information of nearly 36 million customers.
In data breach notifications sent to impacted customers, Comcast disclosed that hackers exploited a Citrix vulnerability between October 16 and October 19, 2023.
Citrix had publicly disclosed the “Citrix Bleed” vulnerability CVE-2023-4966 on October 10, 2023, and released security fixes, which Comcast “promptly” implemented on October 23, 2023.
However, the threat actors had breached the company’s internal systems and accessed Xfinity customers’ personal information.
Earlier reports also indicated that hackers had been exploiting Citrix Bleed zero-day vulnerability to target various organizations since August 2023 before Citrix released security patches.
The vulnerability affects Citrix NetScaler ADC and NetScaler Gateway appliances. It allows hackers to bypass multi-factor authentication and hijack session cookies.
Comcast data breach impacted almost all customers
On November 16, 2023, Comcast discovered threat actors had access to its internal systems and accessed Xfinity customer information of 35.8 million people.
“We notified federal law enforcement and conducted an investigation into the nature and scope of the incident. On November 16, 2023, it was determined that information was likely acquired,” said Comcast.
On December 6, 2023, Comcast determined that the data breach exposed customer account information, including usernames and hashed passwords. It also exposed names, contact information, last four digits of social security numbers, dates of birth, and/or secret questions and answers for some customers.
According to a regulatory filing with the Office of the Maine Attorney General, Comcast disclosed that the Comcast data breach impacted 35,879,455 individuals. The company has notified the victims via email, news media, and its website.
Comcast’s Q2 2023 earnings report indicated the company had 32 million broadband customers, suggesting the data breach impacted almost all customers.
So far, Comcast has no evidence that the attackers have misused the leaked information.
“While Comcast is insisting that no customers have been directly affected or ‘attacked,’ this is unlikely as customer data was actively exfiltrated,” said Dr. Darren Williams, CEO and Founder of BlackFog.
Comcast is requiring customers to reset their passwords and enable two-factor or multi-factor authentication to secure their accounts. Customers who reuse passwords on other accounts should also reset them as a precaution.
Meanwhile, the company has not disclosed the threat actor’s identity or if it received ransom demands to prevent the publication of the stolen customer information.
According to the U.S. Cybersecurity and Infrastructure Security Agency (CISA), LockBit 3.0 exploited the Citrix Bleed vulnerability to compromise multiple organizations.
Citrix Bleed victims include the American aeronautical and space company Boeing, the Japanese automaker Toyota, the Industrial and Commercial Bank of China (ICBC), and Allen & Overy.
According to Eric Goldstein, CISA’s Executive Assistant Director for Cybersecurity, at least 1,000 organizations are vulnerable to Citrix Bleed exploitation, with 300 already warned about the risk.
Comcast is in legal trouble after a massive data breach
Comcast faces two class-action lawsuits from the October 2023 data breach. The class members allege the company’s failure to safeguard sensitive personal information or implement robust security measures to prevent the breach.
Starting December 18, 2023, the Security and Exchange Commission (SEC) requires public companies to file “material” cybersecurity incidents within 96 hours. Comcast had not submitted the data breach by December 22, 2023.
“Whether a company loses a factory in a fire — or millions of files in a cybersecurity incident — it may be material to investors,” said SEC Chair Gary Gensler.
According to Neil Begley, Senior Vice President for Moody’s Investors Service, Comcast’s data breach “could attract the scrutiny of the FCC and other regulators.”
However, Dr. Williams believes Comcast may not be entirely at fault for failing to prevent the cyber incident.
“Third-party vulnerabilities can often result in delayed patching for the company which holds customer data,” Williams said. “This attack brings emphasis on the need for businesses to strongly consider and assess the security measures of the vendors they work with. With this mindset, companies can better prepare for the inevitable attack.”