Xfinity Customer Reports Bank Fraud Day Before Receiving Data Breach Notice: Complaint

Jessica Durham, an Illinois resident, received an email notice from Comcast Dec. 22, informing her that her username and hashed password were stolen. She also learned unauthorized third parties had taken other customers' names, contact information, last four digits of Social Security numbers, dates of birth and/or secret questions and answers during the Oct. 16-19 data breach involving a vulnerability in a Citrix software product Comcast used, the complaint said.

The email notice came one day after Durham contacted the Lake County Sheriffs' Office and reported fraudulent activity on her credit card, the complaint said. In the police report, Durham said she received a call from her bank on Dec. 20 about unusual transactions on her credit card. She informed police at the time she did not authorize such transactions, the complaint said. The police report also recounts that Durham said “an unknown person had submitted a change of address form in her name without permission,” said the complaint. The bank froze all her accounts to prevent further fraudulent activity, it said.

Durham has seen a “dramatic increase” in spam email and phone calls since the Citrix Systems data breach, said the complaint. In addition to closing all her bank accounts, Durham had to “cancel and re-do all her autopay bills that were attached to the closed accounts.” This left her without access to her bank accounts in the days ahead of Christmas, it said. She didn’t regain access to funds until Dec. 27, when the bank provided a provisional credit, it said.

The plaintiff is suffering from “stress, fear and anxiety about the actual and potential wrongful access and use of her PII,” said the complaint. As a result of the breach, Durham and class members face “years of constant surveillance of their financial and personal records, monitoring, and loss of rights,” it said. Already Durham has spent hours dealing with the fraudulent bank withdrawals, contacting the bank’s fraud department, law enforcement and credit monitoring services such as TransUnion; her fraud case “remains open,” it said.

Despite Comcast’s stated data security commitment, it never adopted “reasonable measures to prevent the unauthorized access” to Durham’s PII, and allowed for its release to “unauthorized bad actors,” the complaint said. Had the cable provider maintained its data security network and “worked diligently to correct vulnerabilities, remedied the deficiencies in its information storage and security systems, followed industry guidelines, and adopted security measures recommended by experts in the field, Comcast could have prevented intrusion into its information storage and security systems" and the theft of Durham’s and class members’ confidential PII,” it said.

Durham asserts claims of negligence, negligence per se, breach of implied contract, unjust enrichment and violation of the Pennsylvania Unfair Trade Practices Act. She seeks injunctive relief, including orders requiring Comcast to encrypt all data collected through the course of business, according to applicable regulations, industry standards, and federal, state or local laws; to destroy Durham's and class members' PII; and to maintain a comprehensive information security program.

The plaintiff also seeks for herself and class members actual, consequential and nominal damages; attorneys’ fees and legal costs; and prejudgment interest. Comcast didn’t comment Wednesday.