Hackers Gained Access To The Sensitive Data Of 36 Million Comcast Customers
from the whoops-a-daisy dept
Hackers have managed to obtain the personal data of 36 million Comcast customers.
In a notice sent to customers on Monday, Comcast announced that hackers had exploited the “CitrixBleed” vulnerability in Citrix networking devices that’s been a problem since at least August. Hackers gained access to a significant portion of Comcast systems between October 16 and October 19, but the company didn’t notice the intrusion until October 25.
It’s taken almost two months for Comcast to identify the scope of the intrusion, determine what data was accessed, and inform customers of the hack, which gave the hackers access to usernames, security questions, contact information, dates of birth, the last four digits of user social security numbers, and hashed passwords (Comcast doesn’t say what encryption algorithm was used).
Comcast attempted to downplay the scope of the hack by insisting they haven’t (yet) seen any instance of the data being used against Comcast customers. Not that they’d have any way to actually know that:
“We are not aware of any customer data being leaked anywhere, nor of any attacks on our customers”
Comcast currently has around 32.3 million broadband customers (and dropping), and 14 million or so TV customers (dropping even faster). I’m a broadband customer (Comcast has a monopoly at my address) and have yet to receive any notification whatsoever.
The Comcast hack — and the telecom giant’s 8 week delay in informing customers — comes as the FCC is considering new rules that would require broadband providers to do a better, faster job informing customers about data breaches. The effort is being uniformly opposed by Republicans, who consistently side with big telecom when it comes to the industry’s never-ending quest for zero accountability.
Filed Under: breach, broadband, cable, hack, privacy
Companies: comcast
Comments on “Hackers Gained Access To The Sensitive Data Of 36 Million Comcast Customers”
I’m sure this is just for “security purposes”, and not at all because they don’t want to reveal how shitty their encryption protocols are.
Re: Shitty, you say?!
Bhe rapelcgvba hfrf gur zbfg nqinaprq grpuavdhrf bhe fhzzre vagrea pbhyq pbcl sebz FgnpxBiresybj!
— Comcast Security (probably)
Re: Re: Lbh orng zr gb vg!
Very nice.
Re: Re:
“Wait, caesar ciphers aren’t state of the art anymore??”
This is why I never answer “insecurity questions” accurately. City where you were born? Techville. You can’t change the real answer but you can change a fake one. Just treat them as additional passwords.
No ID theft protection?
Nope, no I.D. theft protection service offered. I mean it’s not that big of a deal, those services aren’t so great anyhow. However, they is very little loss for Comcrap, so why would they invest on more security?
No notification for us, just a forced password reset without any note why.
Yay. -.-
I forgot to mention in this post that Comcast waited two weeks to implement the necessary patch to protect its systems, despite widespread discussion of the severe impact of this particular vulnerability.
Good times!
Re:
i was going to note that the patches were available on October 10. Double points to them for not even patching until after they were exploited, when mitigation was available prior.
Re:
I’d be interested in knowing the reason for this. From experience, this could be anything from “we only employ one guy who can do it and he was off sick” to “it took 2 weeks to get authorisation for downtime”, to “nobody was paid enough to care”.
Usually these things are the result of some combination of the above – underpaid staff with limited resources being told that prevention is less important than new sales until something actually goes wrong.
We seriously need to consider NERC CIP style regulations for anyone that collects PII, because super fuck these guys. And let me tell you, that shit will be MISERABLE for them. But again, super fuck them.
It could be a proportional system with lower expectations for a single piece of information such as name, and then ratchet up from there expanding the punishment as you add things like email, phone number, address, and SSN. And if you lose all of them? It should be a near catastrophic loss for the organization. CEOs/CIOs should wake up in cold sweats in the middle of the night thinking about what will happen if their company fucks up. Shareholders need to know their stock will be worth near nothing if a fuckup of that nature occurs.
Needless to say, I just discovered that my mortgage lender just lost all of that information for 14 million customer. There answer? two years of credit monitoring. like any of that information will become less relevant in 2 years….
Same here… no notice, but they did force me to reset my password a couple of days ago when I logged into Xfinity streaming. (We also have TV service)
FTFY
““We are not aware of any customer data being leaked anywhere, nor of any attacks on our customers””
Bitch you also think your customers like you…
Re:
Many Xfinity customers are very happy with the service supplied for the price.
1
Re:
Maybe if people spent time reading what they sign and agree too, there’d be lest (you caused it yourself idiot) hate.
Encrypted, for her pleasure
The cable industry takes security very seriously. We encrypt creds twice using “military grade” ROT13 – twice to double its encryption strength. Rest assured, the cable industry protects your privacy even more than security.
The hack wasn’t the company’s fault. The firewall software they use was penetrated. Comcast was one of many that used that software and one of many hacked just before the patch fixed the hole.
I got a letter. Not sure who the vendor is that took my call and informed me that I’m not affected.
No crazy hoops to jump through.