One of the tallest structures in the state, the Comcast Center in Philadelphia is a glass tower that can be seen from a great distance. In October 2023, a patch for a critical software vulnerability was sitting uninstalled inside the company’s massive technical infrastructure. The fix was made available by Citrix on October 10. It fixed a vulnerability in the NetScaler software that allowed attackers to take over authenticated user sessions without requiring credentials, a flaw that researchers would later refer to as Citrix Bleed. Hackers used it to gain access to Xfinity’s systems six days later. They spent four days there. They stole information from about 35.8 million customers when they departed.
About two months after the intrusion, on December 18, 2023, Comcast made the breach public. In its cautious first statement, the company said it was “not aware of any customer data being leaked anywhere, nor of any attacks on our customers.” One of the more unsettling aspects of the case is the timing of that statement in relation to what the company most likely knew by then. Lawsuits were being filed all over the nation in a matter of weeks. In the end, twenty-four of them combined to form the case that is currently pending in the Philadelphia federal courthouse as Hasson v. Comcast Cable Communications, LLC. Comcast consented to pay $117.5 million to settle it this year.
The Six Days Comcast Had to Stop It — and Didn’t: Inside the $117.5 Million Data Breach Settlement
| Company | Comcast Corporation (operating as Xfinity) |
|---|---|
| Case Name | Hasson v. Comcast Cable Communications, LLC |
| Court | U.S. District Court, Eastern District of Pennsylvania |
| Consolidated Cases | 24 separate federal class-action lawsuits |
| Settlement Amount | $117.5 million |
| Breach Dates | October 16–19, 2023 (4 days) |
| Vulnerability Exploited | Citrix Bleed (CVE-2023-4966) in Citrix NetScaler software |
| Citrix Patch Released | October 10, 2023 — 6 days before breach began |
| Public Disclosure | December 2023 (~2 months after breach) |
| Customers Affected | Approximately 35.8 million |
| Data Exposed | Usernames, hashed passwords, partial SSNs (last 4 digits), dates of birth, contact info, security questions and answers |
| Settlement Administrator | Kroll Settlement Administration LLC |
| Claim Filing Deadline | August 14, 2026 |
| Opt-Out / Objection Deadline | June 1, 2026 |
| Final Approval Hearing | July 7, 2026 — U.S. District Court, Eastern District of Pennsylvania, Philadelphia |
| Maximum Cash Payout | Up to $10,000 (documented losses) |
| Alternative Cash Payment | ~$50 (no documentation; subject to pro-rata adjustment) |
| Lost Time Compensation | Up to 5 hours at $30/hour ($150 max, within $10,000 cap) |
| Identity Protection | 3 years — CyEx Financial Shield Complete; dark web monitoring, $1M identity theft insurance |
| Comcast’s Position | Denies all wrongdoing; settled to avoid litigation costs and uncertainty |
| Claim Website | comcastbreachsettlement.com |
| Settlement Phone | (833) 319-2401 |
The collected data is more important than it may first appear. Hashed passwords and usernames alone are not directly usable credentials. However, if you combine a hashed password with a known username, a date of birth, and the right answers to security questions—all of which were also revealed in this breach—you have almost everything an attacker needs to reset accounts, get past identity verification checks, and access email, bank accounts, and anything else that is protected by the same security questions. Citrix Bleed is a particularly harmful event, both technically and practically, for anyone whose information was stolen because of this type of layered exposure.
The settlement structure provides a number of choices. Clients may receive up to $10,000 if they have proof of financial losses, such as expenses for credit monitoring, identity theft remediation, fraudulent charges, and credit freeze fees. Within the same overall cap, those who spent time handling the fallout may add lost time compensation at a rate of $30 per hour for a maximum of five hours. An alternative flat payment of about $50 is available for most eligible customers without documentation; however, this amount will vary based on the total number of claims filed. It decreases when participation is high. This kind of tension between advertised amounts and actual payouts is consistently produced by the mathematics of large-scale data breach settlements.
For most people, the three-year identity monitoring package that each member of the settlement class can automatically enroll in is perhaps more valuable than the money. Real-time transaction alerts, one-bureau credit monitoring, dark web monitoring, and identity theft insurance up to $1 million are all included in CyEx Financial Shield Complete. Given what was revealed, three years of coverage isn’t excessive—security questions and partial Social Security numbers are the kind of identifiers that bad actors can use for years, not just months.
Throughout the settlement process, Comcast has denied any wrongdoing and maintained—with some technical accuracy—that Citrix’s software, not Comcast’s own code, was the source of the vulnerability. The simpler question of what Comcast’s security team was doing between October 10, when the patch was available, and October 16, when the attack started, is what that framing omits. Given that timeline, a jury might have had trouble explaining the gap. That might be one of the reasons Comcast decided to reach a settlement instead of going to trial.
Philadelphia will host the final approval hearing on July 7. The settlement is not finalized until a judge gives his or her official approval. Customers must opt out by June 1 if they wish to maintain their ability to independently sue Comcast for this violation. Once everything is approved by the court, customers who do nothing will be bound by the settlement and won’t get paid in cash, but they will still be able to use the identity monitoring services. Claimants must use the lookup tool on the settlement website or provide the unique class member ID that was included in the breach notification email sent in December 2023. The cash compensation claim deadline is August 14, 2026.
As the Comcast settlement moves closer to final approval, it seems more likely that lawyers will be satisfied than consumers. After writing a sizable check and denying any wrongdoing, Comcast resumes running one of the biggest cable and internet companies in the nation. Depending on the documentation they may or may not have thought to save at the time, customers whose security questions and partial Social Security numbers were copied in four October days could receive anywhere from $50 to $10,000. The monitoring services are genuine and beneficial. A large number divided by a very large denominator seldom yields a figure that feels proportionate to the initial breach. For most people, the cash compensation reflects the same arithmetic problem that characterizes nearly every data breach class action.
