No matter how this data security breach story develops, if you are a Comcast customer, you should probably change your passwords now.
In what may be the latest in a series of high-profile computer security breaches, Comcast had at least 34 of its servers hacked on February 6, 2014 by NullCrew FTS. After publishing a list of Comcast’s mail servers and a link to the root file with the vulnerability it used to penetrate Comcast’s system on Pastebin (Read Here), the information remained exposed and available for the next 24 hours. The following day, February 7, 2014, the company issued a limited press-release with regard to the security breach on Multichannel news. In that press-release, Comcast stated that the company “currently [has] no evidence to suggest any personal customer information was obtained in this incident.” This press release, which was released to only one on-line media outlet, has been heavily criticized by several media and security writers, who allege that the company has hushed and minimized what was likely to have been a serious on-line attack. (Read Here and Here).
It is too early to tell whether any of Comcast’s customer’s data was compromised in this attack or not, or whether Comcast ultimately has any liability. However this particular incident illustrates the difficult position a company can find itself when a computer security breach is made public shortly after the breach occurs. A company in the midst of a computer security breach must deal with several simultaneous issues in real time, including technology, business operation, legal compliance, and public relations – the larger the company the more difficult these things can be to coordinate.
The typical bases of liability from consumers for a company facing a computer security breach that involves the disclosure of private customer information typically comes down two essential bases of liability: (1) did the company fail to adopt reasonable safeguards against a computer security breach, and (2) did the company fail to timely notify affected consumers. Other causes of action, including “invasion of privacy” have been brought in several data breach cases to date, but the legal theory of most cases find themselves within the framework of failure to protect, and failure to timely notify. In the case of the Target breach (which occurred between November 27, 2013 and December 15, 2014), Target notified its affected customers via email and set up a special web page linked to its home page within days after the breach came to light, and regularly updated this website. (I wrote about the Target Data Security Breach in January 2014) As of the writing of this article, no such similar actions appear to have been taken by Comcast. Depending on the facts that emerge, this may not be an unusual response.
Those that are familiar with data security breaches know that there are oftentimes a number of time consuming steps that are required to properly respond to a breach. The first step usually includes identification and understanding the nature and scope of the breach, and then being reasonably sure that the threat has been contained and remedied. Depending on the complexity of the attack, this can sometimes take weeks to investigate and complete. In some instances, there is a requirement to coordinate with law enforcement, which itself can take significant time especially when the attack has occurred in more than one jurisdiction. If an attack is ongoing, a premature disclosure can tip off the hackers that the company and law enforcement are on to them. Determining what data (including customer data) was actually accessed or affected can also take several weeks. In the weeks and months to come, these details are likely to emerge if the likely suing customers make it past the preliminary pleading stages and proceed into discovery.
One challenge that may be faced by Comcast is that the vulnerability that was apparently exploited by NullCrew FTS was reported in December 2013, but was never patched by Comcast. NullCrew FTS has taken credit for another hack of a large Telecom (Bell Canada), and apparently had contacted Bell Canada two weeks before making disclosure of its hacking activities that exposed more that 22,000 user names and passwords of the Canadian company. To the degree that plaintiff’s lawyers will be able to show that Comcast could have patched this apparent security breach, this could be a potential basis of liability to the company. One study indicates that in hindsight 97% of data security breaches would have been avoidable through simple or intermediate controls.
In the meantime, Comcast is faced with the challenge of investigating and responding to this recent data breach, and simultaneously managing the reputation damage that naturally flows from incidents of this kind. A proactive approach to communicating with customers is often crucial for maintaining customer loyalty and trust. This is a difficult situation for any company finding itself in.
As a final reminder: If you are a Comcast customer, you should probably change your password.