Comcast Xfinity Data breach 2023

rdrr

rdrr

Elite Member
Posts
1,229
Reaction score
2,056
Yet another large Data Breach, this time impacting over 35 Million customers of Comcast/Xfinity. And it is infuriating to read the timeline only to be notified on Dec 18th 2023. :mad:

https://www.theverge.com/2023/12/18/24007082/xfinity-data-breach-hack-notice-citrix

Compromised information includes;
Names
Contact Information
Partial SSN
Dates of Birth
Secret Questions/Answers

Timeline: (A future business and security case of what not to do)
  • Oct 10th 2023 - Citrix (a technology company that Comcast/Xfinity is a customer of) disclosed a vulnerability and released a patch.
  • Oct 16th to 19th 2023 - Unauthorized activity at Comcast/Xfinity goes undetected.
  • Oct 23rd 2023 - Citrix issues more guidance about the vulnerability. Comcast/Xfinity "promptly patched and mitigated our systems." Comcast/Xfinity "subsequently" discovered" an intrusion had already occurred.
  • Nov 16th 2023 - Comcast/Xfinity determines data was likely acquired <--- Note that this took 24 days!!!
  • Dec 6th 2023 - Comcast/Xfinity identifies which information was exposed.
  • Dec 18th 2023 - Notification published on its website
 
A

AG_PhamD

Elite Member
Posts
1,050
Reaction score
979
Maybe these giant companies should be compensating customers who have their data stolen to help encourage better security. And should they be fined more if they do not report the breach in a reasonable amount of time.

I wonder if hospitals, medical practices, insurers, etc can be sued under HIPAA for data breaches… that would get very expensive very quickly.
 
Cmaier

Cmaier

Site Master
Staff Member
Site Donor
Posts
5,329
Reaction score
8,521
AG_PhamD said:
Maybe these giant companies should be compensating customers who have their data stolen to help encourage better security. And should they be fined more if they do not report the breach in a reasonable amount of time.

I wonder if hospitals, medical practices, insurers, etc can be sued under HIPAA for data breaches… that would get very expensive very quickly.
Click to expand...
There is no private cause of action under HIPAA. You may be able to sue under other causes of action, depending on your state, however. Also depends on your agreement with the company - depending on the situation, you may have agreed to arbitrate, for example.
 
R

Roller

Elite Member
Posts
1,443
Reaction score
2,813
Cmaier said:
There is no private cause of action under HIPAA. You may be able to sue under other causes of action, depending on your state, however. Also depends on your agreement with the company - depending on the situation, you may have agreed to arbitrate, for example.
Click to expand...
Thank you for posting. HIPAA is poorly-understood, even by people in healthcare. But it's worth noting that while hospitals that violate HIPAA can't be privately sued, they may be subject to substantial penalties.
 
Top Bottom
1 2