Trade Law Daily is a Warren News publication.
'Significant Paperwork'

Comcast Didn't Offer Typical Free Credit Monitoring After Breach, Say Plaintiffs

Comcast hasn’t offered victims of an October data breach at Citrix Systems affecting 35.8 million current and former Xfinity customers financial assistance with credit monitoring, though they will have to monitor their accounts for years to come, said three more lawsuits against the broadband provider filed since Friday. Hackers exploited a vulnerability in Citrix’s systems, affecting Xfinity and other Citrix customers in what has been dubbed the Citrix Bleed.

Sign up for a free preview to unlock the rest of this article

Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.

Robert Roseman, a Pennsylvania resident, noted in his class action Friday (docket 2:24-cv-00271) against Comcast in U.S. District Court for Eastern Pennsylvania in Philadelphia that Xfinity hasn’t offered the type of free credit monitoring or identity fraud protection “firms typically offer their customers following a serious data breach.” Instead, Comcast advised customers “to routinely monitor and review financial and other accounts, as well as credit reports,” which is “no simple task,” the complaint said. Plaintiffs and class members “have many accounts, online and otherwise, that could be accessed with the PII [personally identifiable information] that was stolen from Xfinity’s systems,” it said.

Such monitoring requires time and effort that Roseman would otherwise not have expended, the complaint said. And given the “scant details Comcast has provided” about the breach as it continues its investigation, “the burden of discovering possible fraudulent transactions has been shifted to Xfinity customers,” the complaint said. Comcast “indicates an unwillingness to assist or protect its customers from the potential consequences of its own negligence,” it said.

Roseman’s data was compromised despite several representations in Xfinity’s privacy documentation that Comcast “help[s] protect you with multiple layers of security that automatically detect and block hundreds of thousands of cyber events every second,” the complaint said. Comcast “follow[s] industry-standard practices to secure the information we collect to prevent the unauthorized access, use, or disclosure of any personal information we collect and maintain,” the complaint said, citing the policy.

Roseman asserts claims of negligence, negligence per se and breach of contract. He seeks actual, statutory and punitive damages; restitution; and attorneys’ fees and costs.

Though many Comcast victims received word in December that their PII may have been exposed in the Citrix breach, Charles Metzger, an Ohio resident, didn’t receive notice of the breach until Jan. 4 when Comcast informed him he needed to change his password, said his Monday class action (docket 1:24-cv-20251) vs. Comcast and Citrix in U.S. District Court for Southern Florida in Miami.

Comcast tries to assure its customers that “we remain committed to continue investing in technology, protocols and experts dedicated to helping to protect your data and keeping you, our customer, safe,” but it offers “no third-party credit monitoring or theft protection services to actually assist customers in the protection and safety of their highly sensitive data,” said the complaint. Instead, the broadband provider advises customers to “remain vigilant for incidents of fraud and identity theft by reviewing account statements and monitoring your credit reports,” it noted.

The last four digits of Social Security numbers are among the data compromised in the breach, Metzger’s complaint noted. That’s “among the worst kinds of personal information to have stolen because they may be put to a variety of fraudulent uses and are difficult for an individual to change,” the complaint said. The loss of a person’s Social Security number can lead to identity theft and “extensive financial fraud,” it said.

Identity thieves can use victims’ Social Security numbers and good credit to apply for more credit in their names, then they use the credit cards and don't pay bills, it said. “You may not find out that someone is using your number until you’re turned down for credit, or you begin to get calls from unknown creditors demanding payment for items you never bought,” the complaint said. It isn’t easy to change or cancel a Social Security number; it requires “significant paperwork and evidence of misuse," it said. “Preventive action to defend against potential misuse of a Social Security number is not permitted; an individual instead must show evidence of actual, ongoing fraud to obtain a new number.”

Metzger asserts claims of negligence, negligent misrepresentation, breach of implied contract, breach of third-party beneficiary contract, invasion of privacy and unjust enrichment. He seeks actual, compensatory, statutory and punitive damages; attorneys’ fees and costs; and pre- and post-judgment interest.

David McCauley of Virginia and Jodi Wolfson of New Jersey received word of the breach from Comcast Dec. 26 and Dec. 20, respectively, said their class action (docket 2:24-cv-00280) filed Sunday in U.S. District Court for Eastern Pennsylvania in Philadelphia, naming Comcast and Citrix.

Their complaint notes identity thieves can get a job using a victim’s Social Security number, rent a house, or receive medical services in the victim’s name, “and may even give the victim’s personal information to police during an arrest, resulting in an arrest warrant being issued in the victim’s name.” Hackers can “easily use the last four digits of people’s Social Security numbers … to determine the first five digits themselves, since ‘they relate to where you live and where your card was issued,” the complaint said, citing an article in The Hill.

Identity theft victims often have to spend many hours “repairing the adverse impact to their credit,” the complaint said. McCauley has spent time and money enrolling in identity theft protection services, which informed him that his Social Security information was on the “dark web.” Wolfson has spent time “coordinating services and protective measures with her bank, her phone number was changed without her consent, and a fraudulent Amazon account was opened in her name,” the complaint said. Both plaintiffs “have suffered emotionally over the stress” resulting from the breach, it said.

McCauley and Wolfson assert claims of negligence, negligence per se, breach of implied contract and unjust enrichment. Comcast and Citrix didn’t comment Tuesday.