Comcast Data Breach Impacts Nearly 36 Million Xfinity Customers

Comcast has disclosed a security breach in which hackers accessed the personally identifiable information (PII) of nearly 36 million Xfinity customers.

The cable company disclosed the data breach in a notice to customers on its Xfinity website. And in a data breach notification filed with the Maine Attorney General’s office, it included the total number of Xfinity customers impacted by the breach.

On Oct. 10, one of Xfinity’s software providers, Citrix, announced a vulnerability, Citrix Bleed, in one of its products used by Xfinity and thousands of other companies worldwide, Comcast said. At the time Citrix made this announcement, it released a patch to fix the vulnerability. Citrix issued additional mitigation guidance on Oct. 23.

“We promptly patched and mitigated our systems,” it said. “However, we subsequently discovered that prior to mitigation, between Oct. 16 and Oct. 19, there was unauthorized access to some of our internal systems that we concluded was a result of this vulnerability. We notified federal law enforcement and conducted an investigation into the nature and scope of the incident. On Nov. 16, it was determined that information was likely acquired.”

Xfinity Customers' PII

On Dec. 6, Comcast concluded the information included usernames and hashed passwords. For some customers, other information was also included, such as names, contact information, last four digits of Social Security numbers, dates of birth and/or secret questions and answers.

Related:Millions Impacted by Colorado Data Breach via IBM's MOVEit Transfer Use

“However, our data analysis is continuing, and we will provide additional notices as appropriate,” it said.

The Citrix Bleed vulnerability is particularly concerning because it allows unauthenticated remote attackers to gain sensitive information from the servers, such as session authentication tokens, said Thomas Richards, principal consultant at Synopsys Software Integrity Group.

Synopsys' Thomas Richards

“Once an attacker gains access to the session tokens, they can impersonate the authenticated user and perform actions as that user,” he said. “In the instance of Comcast, the attackers were able to hijack a session of an employee and gain access to the same systems that the employee has access to. Buffer overflow vulnerabilities such as this are less common nowadays due to better secure design practices. However, when they occur, they are always damaging.  Organizations can protect themselves from these threats by installing critical patches by vendors as soon as they are released and monitoring critical systems for malicious traffic.”

Related:IBM Report: Data Breach Costs Soar to All-Time High, Impacting Consumer Costs

David Ratner, CEO of HYAS, said criminals are literally waiting for each new zero day to be discovered because they can “pounce faster than patches can be applied.”

“While an efficient and effective patch strategy is critical for any organization today, it's also quite simply not enough,” he said. “Operational resiliency must be added at all layers, which includes having the visibility to detect anomalies inside the organization and discover breaches in near real time so they can be shut down and stopped before data is stolen and damage ensues."