Half a Dozen Negligence Class Actions vs. Comcast Filed Since Dec. 18 Data Breach Notice

Complaints quoted Comcast’s notice saying one of its software providers, Citrix, announced a vulnerability Oct. 10 in one of its products that Xfinity uses. Citrix released a patch Oct. 10 to fix the “vulnerability,” then issued "additional mitigation guidance” Oct. 23, when Xfinity “promptly patched and mitigated our systems,” the notice said.

Prior to the patch, however, cybercriminals accessed some of Comcast’s internal systems, and the company determined Nov. 16 “that information was likely acquired,” it said. Information included usernames and “hashed passwords,” and for some customers, names, contact information, last four digits of Social Security numbers, dates of birth and secret questions and answers, it said. The data analysis “is continuing,” it added. Comcast suggested customers change their passwords.

Illinois resident and Xfinity customer Curtis Brown filed a suit citing “numerous concerning points” about Comcast’s notice, in a Thursday class action (docket 0:23-cv-62392) in U.S. District Court for Southern Florida in Fort Lauderdale against Comcast and Citrix. “Contrary to the notice,” Comcast “did not ‘promptly patch and mitigate’ its systems,” the complaint said. “It waited just long enough for the CitrixBleed vulnerability to be exploited with devastating effects to Plaintiff and Class members.”

It wasn’t determined until Nov. 16 that customers’ personally identifiable information (PII) was compromised, which “means that Comcast failed to know where PII was maintained in their systems and who had access to that PII for nearly a month after CitrixBleed was first disclosed and that Comcast failed to disclose the Data Breach for an additional month after it occurred,” it said.

Also, said Brown’s complaint, Comcast’s notice didn’t offer data breach victims identity theft or credit monitoring services. The notice instead referred customers to www.annualcreditreport.com to get a credit report they’re entitled to annually. “In an age ripe with data security incidents, this is the bare minimum that other companies offer when they make such a critical mistake,” said the complaint. And Citrix “did not send out any notification at all, let alone offer anything for the victims,” it said.

Researchers estimate that the so-called CitrixBleed was “actively exploiting Citrix software since at least August,” Brown’s complaint said, but Citrix “failed to notify” its customers until October. As a result of the defendants’ “failures,” Brown and class members “face a litany of harms that come with data breaches of this magnitude and severity,” it said. Brown asserts claims of negligence, breach of implied contract and unjust enrichment. He seeks restitution, actual damages, nominal damages, statutory damages, injunctive relief and disgorgement of profits.

In a Thursday class action filed in U.S. District Court for Eastern Pennsylvania in Philadelphia, plaintiffs Centoria Gunther of Chester, Pennsylvania, and Alyssia Nanez of Lathrop, California, both Xfinity internet customers, had a “reasonable expectation” that their PII would be protected, said their complaint (docket 2:23-cv-05092). Despite Comcast’s stated commitment to data security, it “failed to adopt reasonable measures" to prevent unauthorized access to plaintiffs’ and class members’ PII, it said.

Plaintiffs may spend one day to more than six months resolving identity theft issues, said Gunther and Nanez’s complaint. They face “years of constant surveillance of their financial and personal records, monitoring, and loss of rights,” it added. They will lose time and productivity through efforts to mitigate the consequences of the data breach and are likely to experience some level of emotional distress, it said.

In addition to negligence and negligence per se, Gunther and Nanez claim breach of contract, violation of the California Unfair Competition Law and unjust enrichment. They seek damages in an amount to be determined by the court, an order of restitution, declaratory and injunctive relief, attorneys’ fees and costs, and pre- and post-judgment interest.

Plaintiff Jacqueline Keung, a Broward County, Florida, resident, has replaced her compromised credit card, enrolled in Experian credit monitoring and “extended her fraud alerts” since receiving Comcast’s notice Dec. 20, said her Friday class action (docket 2:23-cv-05110) in U.S. District Court for Eastern Pennsylvania in Philadelphia. She has spent “significant time and effort researching” the breach and monitoring her accounts for fraudulent activity and will have to continue doing so, it said. In addition to negligence and negligence per se, Keung claims breach of implied contract and unjust enrichment. She seeks actual, compensatory, punitive and nominal damages; attorneys’ fees and costs; and pre- and post-judgment interest.

Plaintiff Marcia Wilson, a Chester City, Pennsylvania, resident, and class members are at a “significantly increased and certainly impending risk of fraud, identity theft, and other harms” as a result of the Citrix breach, said her class action (docket 2:23-cv-05091) Thursday in the Philadelphia district court. Risks "may last for the rest of their lives,” said the complaint.

Had Comcast “maintained its data security network and worked diligently to correct vulnerabilities, remedied the deficiencies in its information storage and security systems, followed industry guidelines, and adopted security measures recommended by experts in the field,” it could have prevented intrusion into its information storage and security systems that held customer PII, said the complaint. Wilson asserts claims of negligence, negligence per se, breach of implied contract and unjust enrichment. She seeks damages to be determined by the court, an order of restitution and monetary relief, attorneys’ fees and costs; plus pre- and post-judgment interest. Comcast didn’t comment Tuesday.