Communications Litigation Today was a Warren News publication.
'Particularly Lucrative Target'

Plaintiffs Cite Fraud Attempts on Accounts After Comcast 'Lost Control' in Data Breach

Comcast used “deficient data security practices” by relying on Citrix’s “flawed software applications” that resulted in a “massive and preventable” October data breach, alleged a fraud class action Thursday (docket 2:24-cv-00793) in U.S. District Court for Eastern Pennsylvania in Philadelphia.

Comcast “lost control” Oct. 16-19 over the confidential personally identifiable information (PII) of 36 million Xfinity customers by “failing to timely mitigate” a security hole in Citrix’s CVE-2023-4966 software, dubbed the Citrix Bleed, after the cloud computing company alerted its customers, including Comcast, of the security vulnerability on Oct. 10, the complaint said.

Comcast “failed to immediately heed this dire warning and Citrix’s guidance, and waited at least six to nine days to act,” when it “was already too late,” said the complaint. Hackers exploited the “unpatched” Citrix Bleed flaw to access Comcast’s internal systems during the four-day span and exfiltrated “massive amounts of valuable PII,” it said.

Comcast “claims to have first learned of this ‘suspicious activity’ on its networks and servers” on Oct. 25 “during a routine cybersecurity exercise,” the complaint said. It took three more weeks, until Nov. 16, for Comcast to conclude that customers’ PII and other private information was “likely acquired” in the cyberattack, and then until Dec. 6 for it to “determine which types of customer information had been compromised,” the complaint said. The provider publicly disclosed the breach Dec. 18 to governmental agencies and attorneys general, two months after it occurred, it said. The company then notified affected individuals, it said.

The data breach was caused by the "collective failure" of Comcast and Citrix “to implement basic, reasonable, and industry-standard data security practices necessary to protect their systems, software, and networks from a foreseeable and preventable cyberattack,” the complaint said. Comcast contends it “'promptly patched and mitigated the Citrix vulnerability,’ but offers no explanation for why it failed to immediately act” on Oct. 10 when Citrix issued a software patch for the security hole, said the complaint. And Citrix hasn’t explained “why the Citrix Bleed issue went wholly unsolved for several months before it issued the patch in October 2023,” it said.

Plaintiffs Jaclyn Remark of Pennsylvania and Noah Birkett, a Louisiana resident, were required to provide their sensitive PII to Comcast in order to obtain Xfinity service, said the complaint. Had they known Comcast wouldn’t protect their PII, they would not have paid for and received its services, or would have paid “considerably less” for such services, it said.

In January, Remark was alerted to an unauthorized person using her private information to open two credit cards in her name, causing her other credit cards to be “frozen,” said the complaint. A criminal also gained access to her Google Drive account, which hosted other private information, including pictures of her family, it said. She believes the January fraud, which caused about $200 to remediate, was caused by the data breach, it said. She later was alerted to suspicious activity on her accounts by criminals in Singapore and has been notified of several unsuccessful attempts by unauthorized individuals trying to access her Venmo, Facebook and Amazon accounts, it said.

Birkett was alerted to an unauthorized person using his private information to secure a loan through Cash America in his name, the complaint said. Birkett was able to thwart the loan, but the incident caused him to place a security freeze on his credit reports through the three major credit reporting bureaus, it said. He has experienced an increase in phishing emails, texts and phone calls trying to lure him into “dubious financial activities” since the data breach, it said.

By creating and maintaining “massive repositories" of PII, Comcast has provided a "particularly lucrative target for data thieves looking to obtain, misuse, or sell such data,” the complaint said. PII stolen in the cyberattack includes names, contact information, dates of birth, portions of Social Security numbers, account user names and hashed passwords, and security question prompts and answers, it said.

As a result of the breach, the plaintiffs and class members have spent “significant time and effort” researching the breach and monitoring their accounts for fraudulent activity and identity theft, and will have to continue to do so, the complaint said. Comcast’s December data breach letters didn’t offer compensation or complimentary third-party credit monitoring or identity theft protection services to affected persons, it said. “Thus, the risk of identity theft and unauthorized use” of plaintiffs’ and class members’ PII remains “very high,” it said.

Plaintiffs assert claims of negligence and negligence per se; breach of implied contract and third-party beneficiary contract; and unjust enrichment. They seek injunctive relief to prohibit defendants from continuing to engage in the unlawful acts described; compensatory, consequential, general, nominal and punitive damages; disgorgement and restitution of earnings, profits, compensation and benefits received by defendants; attorneys’ fees and costs; and pre- and post-judgment interest. Comcast and Citrix didn't comment Friday.