Another Class Action Accuses Comcast, Xfinity of Data Breach Negligence
A second negligence complaint in as many days was filed against Comcast and its Xfinity brand in U.S. District Court for Eastern Pennsylvania in Philadelphia involving a data breach it became aware of Oct. 10. Plaintiff Steven Prescott filed an eight-count class action Tuesday alleging that Xfinity's claims of strong and robust security were “false and misleading” (see 2312200005).
Sign up for a free preview to unlock the rest of this article
Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.
In her own class action Wednesday (docket 2:23-cv-05072), plaintiff and Xfinity customer Danielle Hendrickson of Dover, Delaware, said she received notice of the breach Tuesday via an email informing her that her personally identifiable information (PII) was involved in a data breach, said the complaint. A Comcast software provider, Citrix, announced a vulnerability Oct. 10 in software used by Comcast and others, the complaint said. Between Oct. 16 and Oct. 19, the vulnerability “was exploited by third-party cybercriminals” who gained access to Hendrickson’s and class members PII that was hosted with Xfinity, it said.
Hendrickson was unaware of the data breach until she received the Tuesday email, the complaint said. She was injured in the form of “lost time” dealing with the consequences of the breach, including time spent verifying the legitimacy and impact of the breach, exploring credit monitoring and identity theft insurance options, monitoring her accounts “with heightened scrutiny” and seeking legal counsel regarding her options for remedying or mitigating the breach’s effects, it said.
The plaintiff was also injured by the “material risk to future harm” she suffered based on the breach, the complaint said. The risk is “imminent and substantial” because Hendrickson’s data has been exposed in the breach, and the data involved included “portions of Social Security numbers,” it said. It’s likely, “given Defendant’s clientele,” that some of the class’ information exposed in the breach “has already been misused,” it said.
Hendrickson has suffered increased anxiety for her loss of privacy and over the impact of cybercriminals accessing, using and selling her PII, said the complaint. She has suffered “imminent and impending injury arising from the substantially increased risk of fraud, identity theft, and misuse” resulting from her PII, in combination with her name, being stolen by criminals, it said.
Xfinity owed a duty to Hendrickson and class members to implement reasonable data security practices and processes that “would immediately detect a breach in its data security systems in a timely manner,” to act upon data security warnings and alerts in a timely fashion, plus a duty of care because “they were foreseeable and probable victims of any inadequate data security practices,” the complaint said.
Hendrickson asserts claims of negligence, breach of implied contract and implied covenant of good faith and fair dealing, and unjust enrichment, the complaint said. She seeks awards of actual, nominal and consequential damages; prejudgment interest; and attorneys’ costs and legal fees. She seeks injunctive relief including requiring Xfinity to delete and purge her and class members’ PII and to maintain a comprehensive information security program. Comcast didn't comment Thursday.