Between October 16 and October 19, 2023, an unauthorized individual gained access to Comcast’s systems through a known Citrix software vulnerability. Like millions of other businesses, Comcast, one of the biggest internet and cable providers in the US, had been utilizing Citrix’s cloud computing infrastructure. Comcast primarily operated under the Xfinity brand. The vulnerability was disclosed by Citrix. Many companies, including Comcast, had failed to patch it in time. By the time the attack was finished, over 31 million customers’ personal data had been compromised. Names and addresses. Social Security numbers. dates of birth. Hashed answers to secret questions.
There were many subsequent class action lawsuits; in the end, two dozen distinct cases were combined into one proceeding. A $117.5 million settlement was preliminary approved by the court in January 2026. The administration is being handled by Kroll Settlement Administration LLC, a New York-based company with 50 years of experience handling complicated class action claims that operates out of One World Trade Center. ComcastBreachSettlement.com, the official settlement website, launched in April 2026. August 14, 2026 is the deadline for submitting a claim.
The same question that arises with every data breach settlement is what most people ask when they receive a settlement notice in the mail or an email from Kroll: is this real, and is it worth filing? Both responses are in the affirmative. One of the most reputable settlement administrators in the business, Kroll has handled numerous securities and antitrust cases in addition to the T-Mobile data breach settlement and AT&T’s customer data lawsuit. The Comcast settlement is legitimate, court-approved, and offers actual money; however, as is the case with all large class actions, the amount that each individual claimant receives is largely dependent on the number of filings and the supporting documentation they are able to submit.
IMPORTANT INFORMATION TABLE — KROLL SETTLEMENT ADMINISTRATION: COMCAST DATA BREACH
| Category | Details |
|---|---|
| Case Name | Hasson v. Comcast Cable Communications LLC, et al. |
| Case Number | 2:23-cv-05039 |
| Court | United States District Court (Pennsylvania) |
| Defendant | Comcast Corporation / Comcast Cable Communications, LLC |
| Settlement Amount | $117,500,000 |
| Preliminary Court Approval | January 16, 2026 |
| Breach Period | Approximately October 16–19, 2023 |
| Cause of Breach | Vulnerability in Citrix cloud computing software used by Comcast; exploited before Citrix announced the flaw |
| Affected Customers | ~31,658,000 U.S. residents and territories (Xfinity customers notified by Comcast) |
| Settlement Administrator | Kroll Settlement Administration LLC |
| Administrator Address | P.O. Box 5324, New York, NY 10150-5324 |
| Official Website | ComcastBreachSettlement.com |
| Claim Deadline | August 14, 2026 (online or postmarked) |
| Opt-Out Deadline | June 1, 2026 |
| Final Approval Hearing | July 7, 2026 |
| Maximum Documented Loss Claim | Up to $10,000 (with proof; identity theft, fraud, credit costs, etc.) |
| Lost Time Claim | Up to 5 hours at $30/hour (subject to $10,000 cap) |
| Alternative Cash Payment | Approximately $50 (no documentation required) |
| Additional Benefit | Identity defense and restoration services from CyEx |
| Attorneys’ Fees | Up to $39,170,000 |
| Administration Costs | Estimated $7,300,000 |
| About Kroll | Headquartered at One World Trade Center, 285 Fulton Street, New York; 50+ years settlement administration experience; has managed 4,000+ settlements, processed 100 million+ claims, distributed $30 billion+ |
Claimants have three basic options under the settlement structure. The simplest is the alternative cash payment, which is available to all members of the settlement class without any paperwork and is approximately $50. It’s not much, but it takes very little work. The more significant approach entails submitting a claim for reimbursement of documented out-of-pocket losses, which may amount to up to $10,000 for costs associated with identity theft, fraud, credit monitoring, credit report freezes, and related expenses that were incurred on or after October 16, 2023, in relation to the breach. Another option is to pay $30 per hour for up to five hours of lost time, which covers the practical costs of handling the fallout from a data breach, such as keeping an eye on accounts, contacting banks, and freezing credit, even in the absence of specific receipts.
It’s important to be realistic about what the majority of people will truly receive. The remaining $117.5 million fund is distributed proportionately based on filed valid claims after attorneys’ fees (up to $39.17 million), administration costs (estimated at $7.3 million), and lead plaintiff service awards are subtracted. The basic alternative payment payout for individuals who file it is typically small in large data breach settlements involving tens of millions of people. Those who file with supporting documentation, which is usually much less common, stand to gain significantly more. The $10,000 cap is genuine and accessible, but it necessitates demonstrating actual losses associated with the breach.
Here, there is a more general pattern that is noteworthy. Over the past ten years, data breach class action settlements—from Equifax, T-Mobile, Capital One, AT&T, and now Comcast—have become a common occurrence in American consumer life. A cyberattack, a delay in disclosure, class action lawsuits, a consolidated lawsuit, years of litigation, and ultimately a nine-figure settlement distributed to millions of people who, depending on whether they file at all, will mostly receive something between nominal and moderately meaningful are all parts of the same storyline. Even when the anticipated payout appears modest, filing is nearly always worthwhile, according to the people who systematically monitor these settlements (there are communities of them). One piece of information from a Reddit thread regarding the Comcast settlement is that one participant mentioned getting $865 from a different data breach claim by just filling out the form and waiting.
Kroll’s involvement in this process is primarily administrative and logistical: confirming claims, overseeing the settlement website, handling opt-out requests, communicating with class members, and ultimately disbursing payments following the court’s final approval, which is presently set for a hearing on July 7, 2026. Payments start to be made after final approval is given and any appeals are settled. Checks and at least one electronic payment method are available to claimants.
A class member ID is needed to file a claim at ComcastBreachSettlement.com. This ID can be found on the settlement notice that eligible customers received by mail or email. The form can still be accessed via the settlement website by class members who do not possess that ID. The June 1, 2026 opt-out deadline is important for anyone who wishes to maintain the option to sue Comcast independently rather than take part in the class settlement; however, opting out is a decision that should be carefully considered due to the expense and complexity of individual litigation against a company the size of Comcast.
The deadline is set for August 14. The website for the settlement is operational. The forms are accessible. The administrative machinery to compensate the 31 million individuals whose Social Security numbers and birth dates were incorrect in October 2023 is operational. How many of them will actually use it is the only unanswered question.
