While corporate data breaches have almost become commonplace, Comcast is in hot water for letting a critical security flaw go unpatched for weeks.
It seems like hackers breaching the defenses of major corporations has become just another fact of modern life, to the point that we just kind of ignore it if it doesn’t actively affect us. That might be hard to do for customers of internet service provider Comcast. The company was hit with an attack two weeks ago that has reportedly exposed the customer data of 35.9 million Xfinity users — a hair over 10 percent of the US population. But what might raise further alarms is Comcast’s apparent lackadaisical response to the security flaw that allowed the breach.
According to a notice sent to Maine attorney general’s office, hackers were able to access usernames, contact info like real names and addresses, dates of birth, user-selected security questions and answers, and the last four digits of Social Security numbers. Passwords were taken, though they were cryptographically hashed. There may be more — the company is still investigating, according to Ars Technica.
How did this happen? Comcast reports that it discovered the initial leak “between October 16 and October 19,” enabled by a critical bug in Citrix network hardware known as Citrix Bleed. The hardware had been patched to fix the vulnerability, which was known to be “in the wild” and exploited since August. But unfortunately for Comcast and its customers, the company waited until October 23rd to actually patch its network hardware, almost two weeks after the patch was available. That window was all hackers needed to use the vulnerability and penetrate Comcast’s systems.
Comcast isn’t the only large company affected by the Citrix Bleed vulnerability, and hindsight is 20/20. But given the high-profile nature of the security issue and Comcast’s slow turnaround for securing its own systems, customers might feel justifiably upset that their data was taken. Comcast is requiring customers to reset their passwords and enable two-factor authentication. Assuming that there’s no more extensive data lost, the collection probably doesn’t represent a huge risk — statistically, we’ve all had those exact data points stolen and made available to malefactors more than once at this point.