Comcast has reached a $117.5 million settlement over a data breach that exposed the personal information of 36 million Xfinity customers, opening the door for affected users to file claims for cash payments. The breach dates back to late 2023, when hackers gained access to customer data tied to comcast xfinity accounts.
The company said the exposed information included names, contact details and dates of birth, and in some cases usernames and hashed passwords, as well as the last four digits of Social Security numbers, secret questions and answers. A class action lawsuit followed after Comcast concluded that unauthorized access to some of its internal systems occurred between Oct. 16 and Oct. 19, 2023, and that the access stemmed from a vulnerability in a Citrix product used by Xfinity and thousands of other companies worldwide.
Citrix announced the vulnerability on Oct. 10, 2023, and released a patch the same day, then issued additional mitigation guidance on Oct. 23. Comcast said it promptly patched and mitigated its systems, notified federal law enforcement and conducted an investigation into the nature and scope of the incident. The company also wrote to all affected users to advise them, setting up the settlement process that is now in motion.
Claimants need a unique settlement member ID number from the email telling them their data was exposed. Those who cannot find the email can use a lookup form to obtain the number before submitting a claim. They can choose a flat cash payment estimated at about $50 each, or they can provide evidence of out-of-pocket losses and lost time to seek a larger award. The final payout depends on how many people file.
The settlement turns a sprawling cybersecurity failure into something more immediate: a check, if users can prove they were affected and act before the deadline. For Comcast Xfinity customers, the breach is no longer only a warning about stolen data. It is now a claim form, a member ID and a dollar amount that may not go far unless losses can be documented.
