Comcast will pay a $1.5 million penalty after a contractor’s security lapse exposed personal details belonging to more than 237,000 past and present customers, according to an announcement from the Federal Communications Commission on Monday.
The FCC said the incident stemmed from a 2024 cyberattack targeting Financial Business and Consumer Solutions, a debt collection vendor Comcast had partnered with until 2022.
The firm, known as FBCS, experienced a breach that revealed sensitive information tied to Comcast’s internet, television, and home security users. Regulators also noted that FBCS had already filed for bankruptcy before publicly acknowledging the breach in August 2024.
Related story: Client Details from JPMorgan, Citi, and Morgan Stanley may have been caught up in a Vendor Cyber Breach
FCC Settlement and Strengthened Vendor Controls
As part of the settlement, Comcast has agreed to implement a new compliance framework aimed at bolstering oversight of third-party vendors.
These added requirements will tighten expectations around customer privacy, data management, and the protection of any personal information handled on Comcast’s behalf.
In a statement addressing the matter, Comcast emphasized that it “was not responsible for and has not conceded any wrongdoing in connection with this incident.”
The company also pointed out that none of its internal systems were compromised and reaffirmed that FBCS had been obligated to follow Comcast’s established vendor security protocols.
“We remain committed to continually strengthening our cybersecurity policies and protections to safeguard customer data,” the company said.
Broader Concerns About Third-Party Data Risks
The FCC’s action underscores growing concerns around vulnerabilities created by outside contractors and the increased expectations for companies that share customer data with external partners.
Although the breach did not originate within Comcast’s infrastructure, regulators stressed that organizations must ensure vendors uphold strong security standards.
This enforcement effort is intended to push Comcast toward more rigorous monitoring practices, particularly as cyber incidents involving external service providers continue to escalate.
While Comcast has not accepted fault, its agreement to adopt enhanced controls reflects the broader scrutiny placed on data stewardship and the responsibilities that come with working with third-party firms that process customer information.
Read next: US, UK, and Australia Target Russian Tech Companies Tied to Ransomware Operations