Comcast Data Breach Leaks Thousands of Unlisted Phone Numbers

Published on
by
EFF Deeplinks Blog

Comcast Data Breach Leaks Thousands of Unlisted Phone Numbers

(Image: Comcast)

The longer my information is out there, the worse the issue gets, yet still no action. I have paid for unpublishing my information for years as I testified in a murder trial. Now, my wife, children, and I are [a]ll in danger; and I have nowhere to turn.

Four years ago, users of Comcast's phone service who had paid for their personal information to be unlisted noticed that something was amiss. Complaints started appearing from these individuals who found their names, addresses, and telephone numbers in phone directories both online and off.

Later, it was revealed that this breach of confidential information affected more than 74,000 individuals and households in California—over half of Comcast's users in California with unlisted numbers. While the breach hit California the hardest, it also occurred with Comcast customers in other states. These numbers were treated just like ordinary listed phone numbers, licensed by Comcast to "publishers," directory assistance providers, and apparently passed on to other databases and published for everyone to see.

This is but one example of how a mistake in an industry built upon the acquisition and selling of personal information can hurt people.  And this is why California law requires phone companies to protect their customers' unlisted or non-published phone numbers.1 The California Public Utilities Commission (PUC) has opened up an investigation [pdf] to determine whether and to what extent Comcast may have broken the law in allowing this release of non-published numbers. EFF Senior Staff Attorney Lee Tien has submitted testimony [pdf] as an expert witness for the California PUC in this case.

These customers were paying Comcast every month to keep their personal information out of public databases. Many of these customers rely on having a non-published number to withhold their names, telephone numbers, and addresses from public lists, not only to preserve their privacy, but to protect their safety. Data breaches like Comcast's can have grave consequences; many complaints explicitly mention abusive relationships or serious threats. As one complainant wrote:

They have put my life in danger & this is not the littlest bit of exaggerating.... I'm tired of getting the runaround & have now contacted corporate office, being paraplegic already how am I suppose [sic] to protect myself from a man that has threatened to kill me...

Comcast claims to have first heard about this breach in October of 2012, and they reported the error to California's Public Utilities Commission in January 2013. However, the Commission has found complaints about wrongly published unlisted numbers from more than two years earlier.

While "getting the runaround" from Comcast has become a matter of course, these reports reveal the actual danger that can come from a breach. And such breaches will only happen more often as more data is collected, shared, and sold.

Earlier this year, the Federal Trade Commission released its long-awaited report on the hidden intricacies of the data economy, focusing on data brokers. Apparent is the scope of use for consumer data: from marketing to risk mitigation and debt collection. Information gleaned from phone number databases can be used to flesh out profiles of individuals, making them easier targets for advertising campaigns and services—and more visible to those who want to find them.

Senior citizens often unlist their phone numbers to escape unwanted telemarketer calls. Yet, as the FTC report and many articles note, seniors are one of the more sought after segments of the population, since they are often vulnerable to deals, tricks, and scams. (For a specific example, the New York Times covered the story of Charles Guthrie, who was duped after a data broker sold his number to thieves.)

Consumers with unlisted numbers have a serious expectation of privacy, and Comcast broke not only their contracts with these customers, but most likely the law. There will be an evidentiary hearing in this case in September.

Adi Kamdar

Adi Kamdar is an activist at the Electronic Frontier Foundation specializing in copyright, patent, free speech, and intermediary liability issues. You can follow Adi on his personal Twitter account at @adikamdar.

Share This Article