31 Million Comcast Customers Can Now Claim Part of a $117.5 Million Data Breach Settlement
What the Hasson v. Comcast Settlement Means for You — and What to Do Before the August 14 Deadline
Mason & Perry LLP | April 20, 2026
Few things feel as personal as the data your internet provider holds about you: your name, your address, your date of birth, the last four digits of your Social Security number, even the answers to your “secret” security questions. In late 2023, that information for more than 31 million Comcast customers slipped into the hands of criminal hackers. Today, those customers finally have a way to recoup some of what that breach cost them — but only if they act before this summer.
The $117.5 million class action settlement in Hasson v. Comcast Cable Communications, LLC, No. 2:23-cv-05039-JMY, pending in the U.S. District Court for the Eastern District of Pennsylvania, is one of the largest consumer data breach settlements of the year. It is also a sharp reminder of how exposed everyday Americans remain when the companies they trust cut corners on cybersecurity.
How the Comcast Breach Happened
Between October 16 and October 19, 2023, unknown attackers slipped through a software vulnerability known informally as “Citrix Bleed” (CVE-2023-4966) — a flaw in Citrix NetScaler products that gave outsiders the ability to hijack active user sessions and walk right past authentication. Comcast used NetScaler to manage remote access for employees and contractors. According to the complaint, Citrix publicly disclosed the vulnerability on October 10, 2023, and urged customers to patch immediately. By the time Comcast applied the fix, the attackers had already been inside for days.
What they took was a data broker’s dream and a consumer’s nightmare. Court filings allege the stolen information included usernames and hashed passwords, customer names, contact information, dates of birth, the last four digits of Social Security numbers, and the answers to security questions used to reset accounts. Comcast did not notify affected customers until December 18, 2023 — roughly two months after the intrusion.
The Lawsuit and the Settlement
The lead plaintiffs sued Comcast Cable Communications, LLC, Comcast Corporation, Citrix Systems, Inc., and Cloud Software Group, Inc., alleging negligence, breach of implied contract, and violations of various state consumer-protection and data-breach-notification statutes. The plaintiffs argued that Comcast failed to implement reasonable security measures despite warnings about the Citrix vulnerability, and that the company waited too long to tell customers their information had been exposed.
After nearly two years of litigation, the parties reached a proposed settlement that received preliminary approval earlier this year. Comcast denies wrongdoing but has agreed to establish a $117.5 million fund to resolve the claims. The settlement class includes the approximately 31,658,000 current and former Comcast customers in the United States and its territories who received an individual notice about the October 2023 breach.
The final approval hearing is scheduled for July 7, 2026. Claims must be submitted by August 14, 2026, and the deadline to exclude yourself from the class (in order to preserve the right to sue on your own) is June 1, 2026.
What Class Members Can Receive
Eligible class members have three options, and choosing wisely matters.
Documented out-of-pocket losses up to $10,000. If you can show that you suffered identity theft, fraudulent tax returns, unauthorized credit card charges, credit-monitoring or credit-freeze fees, or similar costs traceable to the breach, you can seek reimbursement up to $10,000. Keep your receipts, bank statements, and any police or FTC identity-theft reports.
Lost-time payments of $30 per hour for up to five hours. The settlement recognizes that dealing with a breach is itself a harm. Class members can claim up to five hours at $30 per hour — a maximum of $150 — for time spent changing passwords, monitoring accounts, or cleaning up fraud.
An alternative cash payment of up to $50. Class members who prefer not to document losses can elect a flat cash payment. The final amount depends on how many people file, but the settlement caps it at $50 per claimant.
Class members can also enroll in two years of identity-defense and restoration services at no cost.
Why This Settlement Matters Beyond Comcast
Hasson is part of a larger trend courts are only beginning to sort out: holding companies accountable not just for being hacked, but for the delay between knowing they were hacked and telling the people whose data was stolen. Comcast learned of the Citrix Bleed vulnerability in October 2023 and confirmed the intrusion weeks later, yet customers were not notified until mid-December. During that window, affected individuals had no ability to freeze their credit, change their passwords, or watch for fraudulent accounts opened in their names.
State data-breach-notification statutes — including Pennsylvania’s Breach of Personal Information Notification Act, 73 P.S. §§ 2301–2329, and California’s data-breach-notification law, Cal. Civ. Code § 1798.82 — generally require notice “without unreasonable delay.” What counts as “unreasonable” is exactly the kind of question that class actions like this one are forcing courts to answer. Expect to see more settlements in which the lag between breach and notice is itself a driver of liability.
Practical Steps for Comcast Customers — and Everyone Else
Check your email and mail for the settlement notice. If you were a Comcast customer at the end of 2023, you likely received a notice with a unique Class Member ID and PIN. You will need those to file a claim at the official settlement website.
Pull your credit reports. Every American is entitled to free weekly reports from each of the three major bureaus at AnnualCreditReport.com. Look for accounts you did not open.
Freeze your credit at all three bureaus. A credit freeze is free, reversible, and far more protective than mere monitoring. It blocks new creditors from pulling your file — which is exactly what identity thieves need.
Change passwords and security questions, especially reused ones. If your Comcast security-question answers (mother’s maiden name, first pet, childhood street) were stolen, assume they are compromised everywhere you used them.
Save everything. If you spot any suspicious activity, document it — dates, amounts, phone calls, correspondence. That paper trail is what unlocks the larger out-of-pocket reimbursement under the settlement.
Mason & Perry LLP represents individuals and groups in data breach and privacy class action litigation. If you believe your data was improperly collected or shared, contact us to discuss your options.