On September 17, 2015, the California Public Utilities Commission (CPUC) approved a $33 million settlement between Comcast, CPUC staff, and the California Attorney General’s office (along with public interest groups TURN and the Greenlining Institute), related to a Comcast data breach that resulted in the personal information (name, address and telephone number) of nearly 75,000 Comcast “non-published” XFINITY Voice customers in California being posted on the Internet.

As the CPUC’s briefing explains, Comcast disseminated these customers’ personal information when it sent information about all of its telephone subscribers, including unpublished numbers, to Targus/Neustar, the company Comcast chose to license and sell Comcast subscriber listings. The apparent problem was that Comcast failed to put a “privacy flag” on the unpublished numbers, which led to Targus/Neustar using those subscriber listings in their own database, distributing them to at least one national directory assistance operator, and publishing them online where they became available to other data brokers. Why Comcast disseminated these numbers in the first place is unclear.

These were residential subscribers who specifically paid Comcast a monthly fee to keep their phone numbers and other personal information non-published or non-listed. These customers ranged from domestic violence victims to law enforcement personnel to people who simply wanted to head off telemarketing calls. They all requested the non-published service in order to protect their privacy. The ramifications of this breach were potentially catastrophic for such vulnerable customers, who relied on this service in order to protect their safety.

One customer on Comcast Help Support Forum wrote:

“I also have not had my address listed for a number of years for a reason. Yet when signing up with Comcast, my address is all over the internet and in the printed phone book. Due to an abusive relationship and restraining order, my address needs to be unpublished.”

Despite receiving numerous complaints from customers that their personal information had been published despite paying for the non-publish service, Comcast somehow failed to detect the “process error” for about 27 months and took an additional 2 months to correct the error (from July 2010 to December 2012). Furthermore, after discovering the error, Comcast failed to take immediate data removal measures to protect customers whose phone numbers were implicated in the breach.

Comcast has agreed to pay $25 million in penalties to the California Department of Justice and the California Public Utilities Commission. Comcast will pay an additional $8.3 million in restitution to affected customers. Each of the 74,774 implicated customers will receive a $100 credit (former customers will receive a check instead). Comcast will refund $517,714 it collected in monthly fees for the non-publish service during the breach period. Lastly, Comcast will pay $432,000 in home security and safety-related services for 216 customers who had identified safety concerns to Comcast in connection with the breach.

Going forward, as part of the injunction Comcast will have to: 1) commission an annual third party audit of its directory list distributor Neustar to ensure this kind of breach does not happen again; 2) more fully inform its XFINITY Voice California residential customers through an easy-to-read disclosure how Comcast uses non-published numbers and other personal information; and 3) revise its procedures for handling customers inquiries and complaints regarding the publication of non-published numbers so that it is able to detect patterns and prevent future breaches from going unnoticed.

EFF Senior Staff Attorney Lee Tien submitted testimony [pdf] as an expert witness for the California PUC in this case.