Telecom SaaS firm Communications Data Group notifies 42K people of data breach on behalf of Duo Broadband

Telecom service provider Communications Data Group yesterday confirmed it notified 42,518 people of a February 2025 data breach on behalf of telecom company Duo Broadband. The breach exposed personal data including names, addresses, dates of birth, and Social Security numbers of Duo Broadband customers.

CDG says it is the billing vendor for Duo Broadband.

“On February 13, 2025, we discovered a data security incident in which a cyber threat actor attempted to disrupt our systems in a possible effort to deploy ransomware, and solicit a ransom payment from us,” says CDG’s notice to Duo Broadband customers.

Ransomware gang Qilin claimed responsibility for the breach at CDG in March 2025.

Communications Data Group has not verified Qilin’s claim. We do not know if the company paid a ransom, how much Qilin demanded, if other CDG clients are affected, or how attackers breached CDG’s network. Comparitech contacted Communications Data Group for comment and will update this article if it replies.

CDG is offering eligible victims free credit monitoring through Kroll.

Who is Qilin?

Qilin is a ransomware gang that started claiming responsibility for attacks on its data leak site in late 2022. Also known as Agenda, Qilin is a Russia-based hacking group that mainly targets victims through phishing emails to spread its ransomware. It launched in August 2022 and runs a ransomware-as-a-service business in which affiliates pay to use Qilin’s malware to launch attacks and collect ransoms.

Qilin has claimed 22 confirmed ransomware attacks in 2025 to date, compromising more than 568,000 records. In March, the gang claimed responsibility for a breach at software developer E.B. Archbald & Associates, which notified 17,000 people.

The attack on CDG and Duo Broadband isn’t Qilin’s first strike at utilities. Aiken Electric Cooperative notified 4,600 people in September 2024 of a data breach claimed by Qilin.

Qilin has made an additional 171 unconfirmed claims that haven’t been acknowledged by the targeted organizations.

Ransomware attacks on US utilities

Ransomware attacks on US utilities can disrupt billing, communication, access to files, and, in more extreme cases, service delivery. The attacks can lock down computer systems and steal data. Utilities must then pay a ransom to restore their systems and for the ransomware group to refrain from selling or publicly releasing the stolen data. If they don’t, utilities face extended downtime, data loss, and putting customers at increased risk of fraud.

Qilin’s attack on CDG and Duo Broadband is the first confirmed ransomware attack of the year against US utility companies. In 2024, we logged 14 such attacks, twice as many as in 2023. Those attacks affected 842,059 and 324,521 records, respectively.

The attack on CDG is the third-largest since 2023 by number of records compromised. The two larger attacks were:

• Frontier Communications notified 751,000 people after a May 2024 data breach claimed by RansomHub
• Dish Network notified 297,000 people after a February 2023 data breach by unknown attackers

About Communications Data Group and Duo Broadband

Based in Champaign, Illinois, Communications Data Group is a software-as-a-service vendor for telecommunications companies. It provides billing and other services for several telecom companies including Duo Broadband.

Duo Broadband is an internet service provider based in Jamestown, Kentucky that sells phone, TV and internet service.