Millions of Comcast and Xfinity customers could soon be in line for cash payments after the telecom giant agreed to a proposed $117.5 million settlement tied to a massive 2023 data breach that exposed sensitive customer information.
The class-action deal, filed in federal court in Pennsylvania, stems from claims that Comcast failed to adequately protect customer data after hackers exploited a Citrix software vulnerability to gain access to internal systems between Oct. 16 and Oct. 19, 2023.
Comcast publicly disclosed the breach on Dec. 18, 2023.
The settlement covers people in the United States and its territories who were individually notified that their information may have been compromised in the breach.
That means not every Comcast or Xfinity customer automatically qualifies.
Eligible claimants can seek reimbursement for documented losses, compensation for time spent dealing with the fallout from the breach or an alternative cash payment estimated at roughly $50.
But the payout amount is far from guaranteed.
Settlement documents state the $50 figure could increase or shrink depending on how many people file valid claims and how much money remains after legal fees, administration costs and other expenses are deducted from the fund.
Lawyers representing the plaintiffs plan to seek as much as one-third of the settlement fund — roughly $39.17 million — in attorney fees, according to the public filings.
Administration and notice costs are capped at $7.3 million, while the agreement also allows for service awards to class representatives.
Comcast has denied wrongdoing.
The Philadelphia-based telecom giant said hackers exploited a widely publicized Citrix vulnerability that affected numerous companies around the world.
According to Comcast’s own disclosure, the company determined by Nov. 16, 2023 that customer information had likely been acquired by unauthorized actors.
By Dec. 6, Comcast concluded the compromised data included usernames and hashed passwords, while some customers also had names, contact information, dates of birth, the last four digits of Social Security numbers and secret questions exposed.
At the time, reports estimated nearly 36 million people may have been affected.
The settlement agreement later pegged the proposed class at approximately 31.7 million individuals who were sent notice letters or emails.
Customers who submit claims for documented out-of-pocket expenses can seek up to $10,000 combined for losses and lost time.
Covered costs include fraud-related losses, fees for credit freezes or fraud alerts, credit monitoring expenses and miscellaneous costs such as postage, copying and mileage tied to addressing the breach.
Claimants can also seek compensation for up to five hours of lost time at a rate of $30 per hour.
