Comcast has notified over 237,000 customers that their personal data was compromised in a ransomware attack on a former debt collection agency. In a filing with the Maine Attorney General, the company revealed that Financial Business and Consumer Solutions (FBCS), which the company used for debt collection until 2020, experienced a ransomware incident in February 2024 that exposed Comcast subscriber information.
The unauthorized intruders accessed the names, addresses, Social Security numbers, dates of birth, and Comcast account numbers and IDs of customers who had dealings with FBCS around 2021. Comcast insisted FBCS initially said no customer data was involved, but it was notified in July that customer information had, in fact, been compromised.
The filing confirms this was a ransomware attack that occurred between February 14 and 26. Attackers encrypted systems and downloaded data after accessing FBCS"s computer network without authorization.
From February 14 and February 26, 2024, an unauthorized party gained access to FBCS’s computer network and some of its computers. During this time, the unauthorized party downloaded data from FBCS systems and encrypted some systems as part of a ransomware attack.
FBCS notified more than 4.2 million people that their information was exposed, and in some cases, medical claims and health insurance records were viewed. Debt purchasing company CF Medical acknowledged it was impacted, with over 620,000 patient records taken. Additionally, Truist Bank warned that an unknown number of its 10 million customers may have had names, addresses, account numbers, dates of birth and Social Security numbers accessed stemming from the FBCS breach.
The ransomware group behind the FBCS attack has yet to claim responsibility. Ransomware operations usually announce high-profile incidents on deep web sites or darknet forums to tout their capabilities. With major operations like Conti, REvil and LockBit routinely posting details of successful hacks, the lack of claims suggests this could be the work of a lesser known group or independent criminal actors.