Comcast $117.5 Million Settlement Opens Claims for Over 30 Million U.S. Consumers

**TL;DR **Over 30 million U.S. residents may receive up to $10,000 each from Comcast’s $117.5 million settlement for the October 2023 data breach, with claims due August 14. **Eligible consumers must submit proof of financial harm for the maximum payout or choose alternative compensation options.

**Context In October 2023, attackers gained access to a Comcast third‑party vendor and exfiltrated customer data including usernames, hashed passwords, the last four digits of Social Security numbers, security questions, birth dates and contact information. Comcast detected the intrusion weeks later and began notifying affected customers in December 2023. The company said it had no evidence the data was misused or that customers were directly targeted. On April 17, 2026, Comcast agreed to a $117.5 million settlement to resolve 24 consolidated class‑action lawsuits alleging inadequate data protection and delayed breach notification.

**Key Facts - The settlement fund totals $117.5 million. - Over 30 million U.S. residents are estimated to be eligible for compensation. - Consumers who can document financial losses tied to the breach—such as fraud, identity theft, credit‑monitoring fees or bank charges—may claim up to $10,000. - Those with documentation of time spent remediating the incident can receive $30 per hour, capped at five hours. - Claimants without documentation receive an estimated $50 payout, adjusted based on total participation. - All claims must be filed online or by mail no later than August 14. - Objections or opt‑out requests are due by June 1; a fairness hearing is set for July 7 before the U.S. District Court for the Eastern District of Pennsylvania. - The settlement also provides identity‑protection services, including credit monitoring and theft insurance.

**What It Means For affected individuals, the settlement offers a concrete path to recover out‑of‑pocket costs and time spent addressing the breach, provided they retain receipts, logs or other evidence. For security teams, the incident underscores the need to vet third‑party vendors, enforce multi‑factor authentication on privileged accounts, and monitor for credential‑stuffing attempts using exposed usernames and hashed passwords. Defenders should: - Rotate and re‑hash passwords using a strong, adaptive algorithm (e.g., bcrypt or Argon2) and invalidate any hashes that may have been compromised. - Implement strict access controls and least‑privilege principles for vendor connections, logging all privileged sessions. - Deploy detection rules for MITRE ATT&CK T1078 (Valid Accounts) and T1110 (Brute Force) to spot abnormal login attempts. - Review and limit the storage of sensitive identifiers such as Social Security numbers; retain only the last four digits when absolutely necessary and tokenize the rest. - Conduct regular tabletop exercises that include breach‑notification timelines to ensure compliance with state and federal disclosure laws.

Watch for the court’s July 7 ruling on settlement fairness; if approved, payouts will begin after the August 14 claim deadline, and Comcast’s subsequent security upgrades will be a key indicator of whether similar incidents can be prevented in the future.