The actual breach occurred two months prior, during a four-day period between October 16 and 19, when hackers took advantage of a vulnerability in Xfinity’s internal Citrix software.

The information, including usernames, hashed passwords, partial Social Security numbers, and security questions, was already public by the time clients learned about it. The kind of data that remains undisturbed in a person’s possession until something happens.

Comcast has now agreed to pay $117.5 million to resolve a class action lawsuit, more than two years after those four days in October. Approximately 35.8 million customers are involved in the case, which is awaiting final approval in the U.S. District Court for the Eastern District of Pennsylvania. This number notably surpasses Comcast’s total broadband subscriber base at the time. It’s not a minor data leak. Almost all of their accounts were like that.

Kroll Settlement Administration LLC, a company that specializes in precisely this type of extensive consumer payout procedure, is the settlement administrator managing claims. If you’re wondering if any of this applies to you after receiving a breach notification from Comcast, you most likely do. Reimbursement for documented out-of-pocket losses up to $10,000 is available to eligible customers who file a claim by August 14, 2026.

This covers identity theft-related expenses, any credit monitoring services you may have paid for, and any credit freezes you put in place after the breach date. You can also claim up to five hours of lost time at $30 per hour if you spent time handling the fallout, such as contacting banks, contesting charges, or setting up fraud alerts. That is not insignificant.

There is a flat alternative payment of about $50 for those without specific documented losses, though that amount may change based on the total number of claims filed. It’s the kind of payout that, by itself, doesn’t make news, but it does exist. Practically speaking, the three-year identity protection package that all members of the settlement class can automatically enroll in is more intriguing.

Real-time transaction alerts, dark web monitoring, one-bureau credit monitoring, and identity theft insurance up to $1 million are all included. Three years of monitoring isn’t overly cautious—in fact, it might be necessary given that the exposed data included security questions and partial Social Security numbers.

For its part, Comcast has denied any misconduct. Since the breach was made public, the company has maintained that Citrix, not Comcast, was the source of the vulnerability. In a limited sense, that might be technically true.

However, a jury is likely to agree with the plaintiffs’ argument that Comcast could have discovered and fixed the vulnerability before hackers did, which may be why Comcast decided to reach a settlement before it reached that stage. Although the $117.5 million settlement is a substantial amount, it avoids a great deal of awkward testimony in court regarding what IT teams knew and when.

In communities such as these, the human element is often lost. In December 2023, a grandmother who had been using the same Xfinity account for fifteen years was notified via email that her data might have been compromised. It’s possible that she didn’t fully comprehend the significance of her security questions or what “hashed passwords” meant.

Most likely, she didn’t file anything. Millions of class members in settlements across the nation fall into this category; they are eligible individuals who just don’t follow through, leaving money and protections unclaimed. It’s worth naming clearly because it’s a well-known pattern.

The date of the final approval hearing is July 7, 2026. The settlement is still proposed and not finalized until then. Although they won’t get paid in cash, customers who do nothing will technically stay in the class, giving up any future right to sue over this breach. Once everything is approved, they will still be able to use the identity protection services, which is something.

However, the window for cash claims closes on August 14. Claims may be mailed straight to Kroll Settlement Administration or submitted through the settlement website. The unique Class Member ID that was sent to you in the breach notification email is required; if you can’t find it, the settlement website offers a lookup tool.

Observing these massive corporate data breach settlements proceed through the legal system gives the impression that businesses benefit more from the system than the impacted individuals. Comcast will make the payment, deny any wrongdoing, and move on. It’s still unclear if those whose information was in another person’s database in October 2023 actually get paid.

The post Comcast Data Breach Settlement Kroll: What 35 Million Xfinity Customers Need to Know Before the Deadline appeared first on Creative Learning Guild.