Comcast confirmed that it has contacted about 200,000 broadband subs to secure their MSO-supplied email accounts and reset their passwords after discovering that a Dark Web seller was trying to unload a list of almost 600,000 Comcast email addresses and passwords.
CSO Online, which first reported on the Dark Web sale, said the seller was hawking batches of 100,000 accounts for $300 each, but the final price was $1,000.
A Comcast official said about 30% of the 590,000 records being sold were active, (Comcast ended the third quarter of 2015 with 22.86 million residential high-speed Internet subs). In addition to accessing email, subscribers use those credentials to access TV Everywhere services.
Comcast has not pinned down the exact source of the information being sold -- the data could have been harvested outside of Comcast’s systems via phishing, malware and other schemes.
“We do know that it was not from us,” the official said, noting that Comcast is contacting impacted subscribers about resetting their passwords. “It was not a breach of our system.”
According to CSO Online, commenters speculated that the Comcast list was “recycled information,” and tagged the Dark Web seller as a “scammer.”
Though Comcast said the information that showed up on Dark Web was not sourced though a breach of its systems, cybersecurity has become a critical area of emphasis for the cable industry. At last month’s SCTE Cable-Tec Expo, organizers dedicated a full day to the topic.
John N. Stewart, the senior vice president and chief security and trust officer at Cisco Systems, keynoted that pre-show Cybersecurity Symposium, noting that cybersecurity threats are a big, if not the biggest, risk posed to cable’s internal and external activities.
During his talk, Stewart presented data from a recent PricewaterhouseCoopers survey that found that about 90% of “large” organizations suffered a security breach, 50% of the worst breaches were caused by inadvertent human error, and 69% of large organizations were attacked by an unauthorized outsider. Another problem, he said, is that most companies aren’t aware that they are under attack when it happens. Stewart said that 269 days is the average “time-to-detection” rate for many businesses.
“I would call that not winning,” he said, later citing a study showing that 50% of CEOs of companies with at least $500 million in revenues in 10 major economies said they were not prepared for a “major cyber event.”
Of recent note, Cox Communications agreed to pay $595,000 to settle an FCC investigation into its data protections related to a 2014 hack.