U.S. telecom giant Comcast has warned that cybercriminals stole the personal data of more than 230,000 customers during a ransomware attack on a third-party provider of debt collection services.
The breach relates to a February cyberattack on Financial Business and Consumer Solutions (FBCS), a Pennsylvania-based debt collection agency used by Comcast.
In a filing with Maine’s attorney general on Friday, Comcast said that FBCS initially told the company in March that the security incident involved no Comcast customer data. Later in July, FBCS notified Comcast that its customer data had in fact been compromised.
Comcast says that 237,703 subscribers are affected by the data breach, with hackers accessing their names, addresses, Social Security numbers, dates of birth, and Comcast account numbers and ID numbers.
The stolen data belongs to those registered as customers at “around 2021,” Comcast says, adding that the company stopped using FBCS for debt collection in 2020.
FBCS has not yet revealed the nature of its security incident but Comcast’s filing confirms it was a ransomware attack.
“From February 14 and February 26, 2024, an unauthorized party gained access to FBCS’s computer network and some of its computers,” the filing states. “During this time, the unauthorized party downloaded data from FBCS systems and encrypted some systems as part of a ransomware attack.”
The incident has not yet been claimed by any major ransomware group and FCEB previously blamed an “unauthorized actor” for the attack.
FCEB did not respond to TechCrunch’s questions.
In a filing with Maine’s attorney general earlier this year, FBCS confirmed that more than four million people had their personal information accessed during the February cyberattack. It’s not known how many of FBCS’ customers were affected, but the organization said in its data breach notice that, in some cases, the attackers accessed medical claims and health insurance information.
CF Medical, a medical debt-purchasing company that goes by the trade name Capio, has confirmed it was among the organizations that saw customer health information stolen as a result of the FBCS breach. In September, CF Medical said more than 620,000 individuals had personal and health information stolen.
Truist Bank — one of the largest banks in the United States — also confirmed it was affected by the incident, as recently filed with California’s attorney general. It’s not yet known how many of Truist Bank’s 10 million customers were affected, but the banking giant warned that the attackers accessed names, addresses, account numbers, dates of birth, and Social Security numbers.