The ambiguous corporate language, the guarantees that no “direct attacks” on customers have been found, and the courteous recommendation that you keep an eye on your accounts have all become almost standard when reading a data breach notice. Most people ignore it, feel a little uneasy, and move on. However, Comcast’s December 2023 disclosure of the breach was unusual.
A $117.5 million settlement is currently being negotiated in federal court as a result of one of the biggest consumer data breaches in recent memory, which affected between 35 and 36 million Xfinity customers.
| Category | Details |
|---|---|
| Company | Comcast Cable Communications, LLC |
| Settlement Amount | $117.5 Million |
| Case Name | Hasson v. Comcast Cable Communications, LLC |
| Court | U.S. District Court, Eastern District of Pennsylvania |
| Breach Dates | October 16–19, 2023 |
| Breach Disclosed | December 18, 2023 |
| Vulnerability Exploited | Citrix Bleed (CVE-2023-4966) |
| Affected Customers | ~35–36 Million |
| Data Compromised | Usernames, hashed passwords, last 4 digits of SSN, dates of birth, security Q&As, contact info |
| Claim Deadline | August 14, 2026 |
| Opt-Out / Objection Deadline | June 1, 2026 |
| Final Approval Hearing | July 7, 2026 — Philadelphia |
| Settlement Administrator | Kroll Settlement Administration LLC |
| Payout Options | ~$50 flat / Up to $10,000 documented losses / $30/hr lost time / 3 years credit monitoring |
| Attorney Fees | ~$39.2 Million (from the fund) |
The actual breach occurred between October 16 and October 19, 2023, a brief four-day period. A vulnerability in Citrix NetScaler software, known as CVE-2023-4966 and dubbed Citrix Bleed by researchers, was exploited by attackers. Five days prior to the intruders’ entry, on October 10, the patch was made available. That window was sufficient, and Comcast hadn’t applied it completely in time. It’s not that Citrix Bleed is difficult to comprehend that makes it so dangerous.
It’s straightforward, almost elegant in a sinister way: it made it possible for attackers to take control of user sessions that had been authenticated, essentially sliding into pre-existing connections as though they belonged there. Passwords do not need to be guessed. The door was ajar already.
For the majority of those 36 million customers, usernames and hashed passwords were among the items they left with. Names, contact information, dates of birth, the final four digits of Social Security numbers, and responses to security questions were included for a subset. People should be concerned about the combination. A hashed password by itself isn’t helpful right away.
However, you’ve effectively given someone a master key to reset accounts all over the internet when you combine it with a known username, a birthdate, and the response to “What street did you grow up on?” Comcast’s delayed patch created that downstream risk.
About two months after the intrusion ended, on December 18, Comcast made the breach public. At the time, the business declared that it was “not aware of any customer data being leaked anywhere.” It’s difficult to determine whether the phrasing was strategically sound or technically correct.
A series of class-action lawsuits ensued, with 24 of them filed in federal courts across the nation before being combined into a single case in Philadelphia. Hasson v. Comcast Cable Communications, LLC, the resulting settlement, settled those claims without Comcast acknowledging any wrongdoing.
There is a significant difference between the options, so it is important to fully comprehend the payout structure. Clients may file if they received a breach notification from Comcast in December 2023. Up to $10,000 can be claimed by those who can provide proof of actual financial harm, such as fraudulent charges, bank fees, credit monitoring costs, and identity theft insurance. Individuals who dealt with the fallout for up to five hours are eligible to receive $30 per hour if they do not have documentation.
Additionally, there is an estimated flat payment of about $50 for those who did not suffer any direct harm but only want compensation for the intrusion itself; this amount may vary based on the number of applications. Before anticipating a windfall, it is important to understand that if tens of millions of people file claims, that $50 amount might decrease.
CyEx Financial Shield offers $1 million in identity theft insurance and three years of identity monitoring to all members of the class, regardless of whether they file. It is not insignificant. However, identity monitoring functions similarly to a smoke alarm, alerting you when a fire has already begun.
For those whose partial Social Security number and security answers were compromised, a credit freeze with Equifax, Experian, and TransUnion is a more preventative measure that is free and takes only a few minutes. After the damage, monitoring notifies you. It is stopped by a freeze.
It’s difficult to ignore how stealthily this case has progressed through the court system. The settlement was reached in April, the claim deadline is August 14, 2026, and the final approval hearing is scheduled for July 7 in Philadelphia.
There could be 35 million eligible individuals. Customers can check their status using the email address associated with their Xfinity account on the settlement website, comcastbreachsettlement.com. This is helpful for those who have since changed their contact details or have just misplaced the initial notification email. The Kroll Settlement Administration in New York accepts claims via mail or online.
This is a larger story that goes beyond Comcast. There was a patch for Citrix Bleed, so it wasn’t a zero-day exploit that took the industry by surprise. By the time Comcast revealed its breach, Mandiant researchers had documented the vulnerability being used by ransomware groups against other targets. Patch management is infrastructure, and corporate America is gradually and painfully learning this lesson. It’s not glitzy.
The earnings call is not made by it. However, a company had to pay $117.5 million to settle the lawsuits that resulted from a five-day delay in implementing a known fix, costing tens of millions of customers their most private information.
Another question is whether the settlement is equitable. Attorneys are requesting about $39.2 million in fees from the fund; additional deductions will be made for class representative payments and administrative expenses. Customers actually split the remainder, and participation will have a significant impact on that amount. That math still doesn’t satisfy me.
The attorneys representing the individuals whose data was stolen collectively claim a sum that would cause a reasonable person to pause, while the individuals themselves receive, at most, a few hundred dollars if they can prove harm. Even for the flat $50, filing a claim feels like a small act of accountability for customers who did nothing wrong and just had their information in the wrong database at the wrong time. August 14 is the deadline. That is still in the future.
Disclaimer
Nothing published on Creative Learning Guild — including news articles, legal news, lawsuit summaries, settlement guides, legal analysis, financial commentary, expert opinion, educational content, or any other material — constitutes legal advice, financial advice, investment advice, or professional counsel of any kind. All content on this website is provided strictly for informational, educational, and news reporting purposes only. Consult your legal or financial advisor before taking any step.
