[BreachExchange] Xfinity mistakenly releases contact information for nearly 200, 000 unlisted customers

Destry Winant destry at riskbasedsecurity.com
Thu Mar 12 10:15:28 EDT 2020


https://www.denverpost.com/2020/03/05/comcast-xfinity-customer-privacy-release/

Nearly 200,000 Xfinity customers nationwide who pay for their phone
numbers to remain unlisted or unpublished had their contact
information mistakenly posted online last fall, the company confirmed
Wednesday.

Comcast, Xfinity’s parent company, could not say how many of those
customers are in Colorado, but several have voiced their concern to
the state’s attorney general or on official Xfinity forums, lamenting
the disclosure and pushing the company to do more to compensate
victims of the mistake.

For years, customers have had the ability to pay a small sum per month
to ensure their phone numbers and personal information remain off of
telephone and online directories.

But in January and February, thousands of people across the country
received letters from Xfinity telling them the company had
inadvertently published personal information on Comcast’s online
directory, Ecolisting.com. The issue affected 2% of Comcast’s 9.9
million voice customers, the company said.

Comcast discovered the issue in November, shutting down the online
directory while offering customers a $100 credit. Because the online
directory has been shuttered, Comcast will no longer offer
nonpublished and nonlisted services.

“We are working with our customers directly to address this issue and
help make it right, and are taking steps to prevent this from
happening again,” Leslie Oliver, a Comcast spokeswoman, said in a
statement.

In light of the privacy breach, the company offered to change
customers’ numbers at no charge, and it set up a phone line
(877-213-9812) for people to voice concerns or ask questions.

But customers who had their numbers mistakenly released complained on
Xfinity’s community message board that although the company corrected
its mistake, it’s impossible to put that information back in the box
once it’s released.

“I’m now published all over the web because of their error,” one user wrote.

Other customers said the release wasn’t just an inconvenience. Law
enforcement officers, judges and domestic abuse victims are some of
the people who pay for unlisted or unpublished numbers.

“Xfinity has compromised the safety of myself and my family by
publishing my identifying information for others to see,” another user
wrote. “Simply providing a $100 credit is not good enough considering
the mess I am going to have to deal with.”


Lawrence Pacheco, spokesman for the Colorado Attorney General’s
Office, said in an email that the state’s consumer protection team
could not find any complaints about Xfinity releasing unlisted numbers
but urged any concerned consumers to submit reports to
stopfraudcolorado.gov.

“Complaints about telecommunications providers is one of the top 10
complaints our office received last year,” Pacheco said.

This is not the first instance in which Comcast mistakenly released
customer information.

In 2015, the cable operator paid a $33 million settlement after
accidentally publishing names, phone numbers and addresses of about
75,000 customers.

California’s attorney general at the time, Kamala Harris, called it a
“troubling breach of privacy.”


More information about the BreachExchange mailing list