- Comcast reached a $117.5M settlement to resolve a lawsuit concerning the CitrixBleed 2023 data breach
- More than 31M customers are eligible to request compensation, including a cash payment of up to $10,000
- Comcast, which also plans to pay a $1.5M fine for another breach, said it “denies all material allegations”
Comcast has agreed to fork over $117.5 million to settle a class action lawsuit over a data breach that occurred in October 2023.
The preliminary approval order, which was publicly released Friday, directs Comcast to reimburse over 31 million people in the U.S. and its territories who received a notice about the breach, which Comcast discovered in October 2023 and then disclosed in December of that year.
According to the operator, the breach stemmed from a vulnerability called “CitrixBleed,” which allows attackers to hijack legitimate user sessions on NetScaler ADC and Gateway appliances to conduct network reconnaissance and steal credentials. CitrixBleed also impacted major companies like Boeing and Toyota.
A new version of the CitrixBleed exploit emerged in June 2025, targeting session tokens that are typically used in broader authentication frameworks, like API calls or persistent application sessions – meaning hackers could access sensitive information even after a user closed their browser.
Comcast customers are eligible for a cash payment of up to $10,000 if they submit proof of out-of-pocket losses. They can also choose to file for a “Lost Time” settlement for hours spent remedying issues related to the breach.
The $117.5 million settlement follows a $1.5 million fine Comcast agreed to in November concerning another data breach. Unlike CitrixBleed, the breach didn’t happen on Comcast’s network but on a third-party debt collection agency the operator previously used – impacting over 237,000 customers.
Regarding CitrixBleed, Comcast said it “denies all material allegations” and “specifically denies that it failed to properly protect personal information in accordance with its duties, had inadequate data security [and] was unjustly enriched by the use of personal data of the impacted individuals.”
The settlement comes as telcos grapple with security concerns, especially as AI and quantum computing introduce new threats.
The Salt Typhoon group, responsible for what’s considered the largest telecom hack in U.S. history, is still actively going after communications infrastructure in over 80 countries.
Brightspeed earlier this month disclosed it’s investigating reports of a cyberattack made by the Crimson Collective, a group that notably breached Red Hat’s private GitHub repositories last year.
The hackers posted a statement claiming they possess over 1 million residential personally identifiable information (PII) records from Brightspeed, with data such as email addresses, phone numbers, payment methods and more.