How ADT and Comcast Got Breached — And Why Their Security Stack Didn't Stop It

Critical ADT: Breach & Attack Sequence

April 2026 · Third breach since August 2024

5.5M

records exposed

3rd

breach since Aug 2024

Critical Comcast: Three Breaches, Three Vendors, Zero Stops

February 2024 – October 2025 · 18 months of repeat incidents

$1.5M

FCC fine

834 GB

exfiltrated by Medusa

Attack Sequence

ADT

A vishing (voice phishing) call convinced an ADT employee to hand over their Okta SSO credentials. No malware. No email link. No perimeter crossing — just a phone call.

ADT Attack Sequence

Vishing call → employee hands over Okta credentials Attacker impersonates IT support. No malware deployed. No email link clicked.

Okta SSO session authenticated Legitimate credentials pass MFA. From Okta's perspective: valid login.

Salesforce CRM accessed and exfiltrated SSO token grants full access. 5.5M customer records staged and pulled.

ShinyHunters demands ransom → ADT refuses → data published April 27, 2026: data released publicly. ADT's third breach in 18 months.

Comcast

Three separate attack vectors across 18 months — vendor blind spot, phishing, ransomware — each exploiting a different layer of the same gap.

Breach 1 — FBCS Vendor Blind Spot (Feb 2024)

Decommissioned vendor FBCS breached FBCS still held Comcast customer data years after the contract ended. Attackers encrypted systems and exfiltrated records Feb 14–26.

FBCS tells Comcast: no impact (March 2024) — wrong Comcast closes investigation. FBCS corrects itself in July 2024. Comcast notifies customers in October — 8 months after breach.

FCC fines Comcast $1.5M Mandatory vendor oversight program imposed. Reports indicate regulators found Comcast had no adequate mechanism to detect data exposure at a vendor it no longer worked with.

Breach 2 — Phishing + Lateral Movement (Jan 2025)

Phishing steals employee credentials Attackers gain network access, move laterally to database infrastructure, exfiltrate customer data, deploy ransomware. 237,000 broadband customers affected.

Breach 3 — Medusa Ransomware (Sep–Oct 2025)

Medusa claims to exfiltrate 834 GB, demands $1.2M Medusa published data across 47 split files on October 19, 2025 and demanded $1.2M. Comcast has not confirmed the breach; some analysts have disputed whether all data originates from Comcast.

Security Stack — What They Had

ADT

🛡️ Palo Alto Networks — Full Platform NGFW · Cortex XDR · Cortex XSOAR · Cortex XSIAM · Prisma Cloud · Prisma SASE — deployed across ADT's environment; the vendor's own published case study describes the platform as "best-of-breed" Gap: XDR + SIEM covers known threat patterns — not a valid authenticated session behaving abnormally inside Salesforce

🔑 Okta — SSO & Identity Federation Federated SSO across SaaS estate including Salesforce. MFA enabled. Gap: Validates identity at login — not what the session does with data after authentication

Comcast

🌐 Akamai — SecurityEdge DNS-layer threat protection, blocking malicious domains at the network edge. Updates threat intelligence every 10 minutes. Gap: Edge-only — no visibility into a decommissioned vendor's environment or post-auth data movement

🔍 Comcast Business MDR — 24/7 SOC In-house managed detection and response with industry-certified analysts monitoring Comcast's own environment around the clock. Gap: MDR scope ends at Comcast's perimeter — FBCS was outside it

❄️ Snowflake — Security Data Fabric 10+ petabyte security data lake; automated sweeps of 50,000+ threat indicators. Full-year hot retention. Gap: Retrospective analytics — detects and analyzes after the fact, does not block data movement in real time

What a Runtime Control Plane Would Have Done

ADT

ADT: A behavioral baseline on the Okta session would have flagged bulk CRM export from an account that had never done it before — on a new device, at off-hours — and halted the transfer before 5.5M records left Salesforce. The PANW + Okta stack had no mechanism to ask "should this valid session be pulling this much data?"

Comcast

Comcast: A runtime policy on vendor data access would have flagged FBCS's continued data retention the moment the contract ended — not discovered it 8 months after the breach. Exfiltration rate monitoring would have triggered a policy alert during Medusa's 834GB pull, not after the fact. Third-party vendor risk is unscoped for every tool in Comcast's stack.

The Pattern These Vendors Share

ADT and Comcast had different vendors, different attack vectors, and different industries. But the failure mode is identical across all four incidents:

Perimeter tools (firewalls, DNS filtering, email scanning) protect entry points — not what happens inside after a valid credential authenticates.
Identity tools (SSO, MFA) validate who you are — not whether a session's behavior is consistent with policy.
MDR and SIEM detect and analyze — they are retrospective by design. They tell you a breach happened; they rarely stop it mid-flight.
Third-party vendor risk is entirely out of scope for every tool in both stacks.

The gap is not a failure of these individual products. It's a category gap. None of them are designed to enforce data access policy at runtime — between an authenticated session and the data it touches.

This gap has always existed in traditional IT environments. The reason it's becoming critical now is AI agents. When your internal systems include AI agents that autonomously access APIs, query databases, call external services, and act on customer data — that session-to-data layer is no longer monitored by a human who might notice something is wrong. It's a machine, running at machine speed, with the same identity credentials as your trusted employees.

The vishing attack that compromised ADT's Okta SSO works identically against an AI agent that has been issued an SSO token. The FBCS vendor that retained Comcast data is the functional equivalent of a third-party AI tool that has been granted API access to your CRM. The attack surface is the same. The detection gap is the same. The vendors covering it are the same — which is to say, none.

What Actually Stops These Attacks — How RuntimeAI Does It

The gap in both stacks is the same: no product enforces policy at the moment a session — human or AI — actually touches data. RuntimeAI closes that layer. Here's what that means in practice for each scenario.

🧠

Behavioral Policy Enforcement

RuntimeAI enforces policy on what authenticated sessions are allowed to do — not just whether they logged in successfully. Unusual data access patterns are evaluated against policy before they complete. The kind of bulk export that cost ADT 5.5M records doesn't execute silently.

🏢

Vendor & Third-Party Data Governance

RuntimeAI governs what data third parties can access and for how long — enforced at the policy layer, not audited after the fact. When a vendor relationship ends, so does their access. Comcast's FBCS exposure would have been flagged at contract end, not discovered years later.

⚡

Real-Time Enforcement — Not Retrospective Detection

Analytics tools tell you a breach happened. RuntimeAI acts while it's happening. Abnormal data movement is caught and flagged in real time — not after 47 compressed files are posted on a dark web leak site.

🔒

AI Agent Governance & Control

AI agents operate with the same credentials as employees — and carry the same risk. RuntimeAI governs every agent action: what it can access, what it can move, and what it can send. Every call is policy-gated and logged. No agent operates outside its approved scope.

📋

Immutable Audit Trail for Compliance

Every data access event across every system — including third-party vendors — is logged to an audit trail that cannot be modified after the fact. When a regulator opens an investigation, evidence is available immediately. When a vendor says your data wasn't affected, the trail says otherwise — in hours, not months.

🕵️

Shadow AI Discovery

Your teams are deploying AI agents against production systems today — outside IT visibility. RuntimeAI surfaces every agent running in your environment, what data it's touching, and whether it's operating within its approved boundaries.

Customer Outcomes

Unauthorized data access blocked before exfiltration — policy enforced at the data access layer, not at the network edge. Catches what perimeter and identity tools miss.
Third-party vendor data exposure eliminated — vendor data access governed and time-bounded by policy; exposure ends when the contract ends.
FCC/regulatory audit readiness on day one — complete, immutable record of every data access event; no forensic reconstruction required after an incident.
AI agent sprawl under control — every agent discovered, policy-gated, and audit-logged; no agent reaches customer data outside its approved scope.
Mean time to contain: months → minutes — real-time enforcement means lateral movement and bulk exfiltration are caught at the first unauthorized access, not discovered in an FCC fine or a dark web post.

🏢 Works Alongside Your Existing Stack

RuntimeAI adds the enforcement layer your current vendors weren't built for — no rip-and-replace required. Start with Agent Discovery and Audit Trail. Add data governance and behavioral enforcement as you expand. Start your free trial →

Ask your current security vendors if they cover this gap. Then ask RuntimeAI — Request a Demo or Free Trial.

Ask if their XDR or SIEM would have stopped a valid, authenticated session from bulk-exporting CRM records. Ask if their MDR has visibility into a decommissioned vendor's data retention. Ask if their network security blocks post-authentication data movement. If the answer is no — ask RuntimeAI.

Request a Demo → Start Free Trial

ADT Breach Comcast Breach Palo Alto Networks Akamai Okta SSO Vishing Medusa Ransomware Vendor Risk Runtime Enforcement Enterprise AI Security

Sources & References