It’s at least two times a week at this point that we hear or read about a big data breach. I mean, last week there was Insomniac and we all saw how that went down. It’s at a point where we are in the dark ages of cybercrime or companies are hiring less than stellar candidates in information security roles. Comcast makes me question which one it is.
This week, it was announced that Comcast was the target of a hack that exposed the personal data of 35.9 million Xfinity customers. To put that into context, that is 10% of the US population.
While that is big news in and of itself, a bigger issue is that Comcast knew about a hole in their security and had yet to patch it. The company fell victim to Citrix Bleed “between October 16 and October 19”. If that sounds familiar, it was a critical bug in Citrix network hardware that was discovered and fixed some time ago. Comcast waited to patch it on October 23.
A notice was sent to the Maine attorney general’s office about the hack. The following was included in the hack:
- real names
- dates of birth
- security Q & As
- last for digits of SSNs
- hashed passwords
- possibly more, according to Ars Technica
I don’t care what you have going on at your company. If there is a giant gaping hole in your security, that’s a case where you drop everything and patch it. That goes double for companies that hold sensitive information.
I knew Comcast was the worst, but this is nonsense.