The email appears in your inbox with a subject line that most people automatically ignore. A class action, perhaps? There’s something about Comcast. Something regarding money that you might or might not owe. At first glance, it appears to be another attempt at phishing, and considering what transpired in 2023, it’s understandable that someone would be wary of an Xfinity-related message requesting them to click on a link. Strangely enough, though, this one is real.
In order to resolve a class action lawsuit related to the October 2023 cyberattack that exposed the personal data of approximately 36 million Xfinity customers, Comcast has agreed to pay $117.5 million. An outside party gained access to Comcast’s systems between October 16 and October 19 of that year, during which time they stole usernames, passwords, contact information, dates of birth, and partial Social Security numbers. December saw the distribution of the notification letters. After reading them, the majority of people sighed, changed their passwords, and moved on. These things typically end that way. It didn’t this time.
Current and former Xfinity customers who received the December 2023 breach notice now have until September 14, 2026, to file through the claims portal. The deadline was first set for August 14 and then quietly extended, which may indicate that participation has been slower than the settlement administrators had anticipated. Customers who meet the eligibility requirements can receive a flat payment of about $50 or up to $10,000 in documented losses if they can provide documentation proving fraud, identity theft, or the amount of time spent clearing the mess. On paper, this math is generous, but in practice, it is more stringent. The majority of people don’t save their bank’s receipts for hours spent on hold.
For its part, Comcast disputes any misconduct. That’s standard language in settlements like this; it’s more of a legal shrug than an admission. In Hasson v. Comcast Cable Communications, the plaintiffs contended that the business had insufficient security in the first place and failed to adequately protect consumer data. The business doesn’t agree. Apparently, the check will still be cut.
It’s amazing how commonplace all of this has become. There is a breach. There’s a notification. Then comes a lawsuit. A settlement website with a portal, a claims deadline, and a flat-rate payout that seldom covers the true cost of handling the fallout appears two or three years later. T-Mobile and Equifax. Marriott. Now that the pattern is repeated so frequently, the settlements feel more like a regular operating expense for big businesses than like a form of accountability. That might be precisely what they’ve turned into.
The final approval hearing is set for August 5 at Philadelphia’s federal courthouse, located in the James A. Byrne building on Market Street. Typically, these cases conclude with a judge’s signature rather than any significant courtroom drama. Payments won’t be made until after that hearing, and even then, only after any appeals have been settled. Therefore, filing now does not guarantee a check the following week. If everything proceeds as planned, it will eventually result in a check.
Once the settlement is finalized, clients who do nothing will still be automatically enrolled in identity defense and restoration services. The consolation prize is that. Depending on how much you trust the company whose data security you are being paid for, it may or may not be worth more than $50 in cash.
There’s a subtle absurdity to the entire situation as you watch it unfold. The victims of identity theft now have to visit a different website, divulge additional personal information, and wait months to be partially restored. It’s difficult not to wonder how long this model lasts. However, the portal is currently operational. September 14 is the deadline. The remainder consists of paperwork.
