Comcast has agreed to pay a $1.5 million civil penalty to settle an FCC investigation into a 2023 data breach. The breach occurred at a third-party vendor, exposing the sensitive data of over 35 million customers. The FCC cited a failure to properly oversee vendor security practices.
Business Impact
This enforcement action sets a precedent: organizations are financially and legally liable for the security failures of their vendors. It underscores that outsourcing operations does not outsource risk. The fine serves as a warning to all regulated industries regarding third-party oversight.
Why It Happened
The breach occurred because a vendor failed to implement basic security controls (like MFA) on a legacy system. Comcast was penalized for failing to audit and enforce security requirements outlined in its vendor contracts.
Recommended Executive Action
Review your Third-Party Risk Management (TPRM) contracts. Ensure you have the “right to audit” and are actually exercising it for high-risk vendors. Verify that your vendors are meeting the same security standards you apply internally.
Hashtags: #Comcast #FCC #DataBreach #Compliance #TPRM #ThirdPartyRisk #CyberLaw #InfoSec