Comcast Agrees to $117.5M Settlement Over Citrix Bleed Breach That Exposed 31.6 Million Customers
Comcast has agreed to pay $117.5 million to settle a class action lawsuit stemming from the October 2023 data breach in which attackers exploited the Citrix Bleed vulnerability to compromise the personal information of 31.6 million customers.
US District Judge John Milton Younge granted preliminary approval on January 16, calling the agreement "fair, reasonable, and adequate." A final approval hearing is scheduled for July 7.
The Breach
Between October 16-19, 2023, unauthorized third parties exploited vulnerabilities in Citrix NetScaler products — which Comcast used for remote access consolidation and single sign-on across applications — to access Comcast's internal systems. The attackers acquired usernames and passwords, names, contact information, last four digits of Social Security numbers, dates of birth, and secret questions and answers for over 30 million current and former customers.
Comcast publicly disclosed the breach in December 2023. The underlying vulnerability, known as Citrix Bleed (CVE-2023-4966), was one of the most widely exploited flaws of 2023, enabling session hijacking across thousands of organizations globally.
Settlement Terms
The settlement consolidates 24 related cases filed in the Eastern District of Pennsylvania and also resolves claims against Citrix Systems and Cloud Software Group. Affected class members can receive:
Three years of free financial and credit monitoring plus identity theft protection, combined with either reimbursement of documented out-of-pocket losses up to $10,000 or an alternative cash payment of $50.
Comcast stated: "Though we disagree with the claims, this settlement reflects our commitment to resolving this matter efficiently while continuing to prioritize the security and privacy of our customers."
Context
The $117.5 million settlement ranks among the largest data breach settlements in US history, though it falls short of Equifax's $575 million agreement in 2019. The case underscores the cascading financial consequences of failing to patch critical vulnerabilities promptly — Citrix Bleed patches were available before the Comcast breach window, and CISA had issued emergency directives warning of active exploitation.
Recommendation
The Comcast settlement serves as a stark reminder that vulnerability management failures carry direct financial liability. Organizations still running unpatched Citrix NetScaler or similar internet-facing appliances should treat patch deployment as a board-level risk item. The breach-to-settlement timeline — just over two years — demonstrates that regulatory and legal consequences are accelerating. Claims filing details have not yet been published.
