Ex-employee sues Citrix for negligence after 6TB data breach

Lawsuit claims the firm “intentionally, willfully, recklessly or negligently” failed to take measures to protect employee data

Data breach

A former Citrix employee has filed a class-action lawsuit against the virtualisation company for failing to safeguard current and former employees' personal information during a devastating hack disclosed earlier this year.

Attackers made away with employees' and their dependents personal and financial details after infiltrating the firm's systems last year and lingering for up to six months. The volume of data stolen totalled approximately 6TB, and comprised emails, blueprints and other business documents.

But the criminals were only able to compromise this data due to Citrix's own actions and omissions, and a failure to properly protect the personal information of its staff, according to court filings submitted in Florida.

The former employee, Lindsey Howard, alleges the method of entry, known as password-spraying, is a well-known and preventable intrusion tactic. The breach could have been easily prevented, moreover, had the company adopted "industry-standard security protocols".

The company's failures also include not detecting the breach for nearly five months while hackers removed data from its networks.

"The data breach was the inevitable result of Citrix's inadequate approach to data security and the protection of its employees' personal information that it collected during the course of its business," the lawsuit said.

"The deficiencies in Citrix's data security were so significant that the intrusion by the hackers remained undetected for months, and was only revealed to Citrix when it was informed by the FBI.

"Citrix disregarded the rights of plaintiff and class members by intentionally, willfully, recklessly or negligently failing to take adequate and reasonable measures to ensure its data systems were protected."

Howard, who held various roles with the firm between early 2006 and May 2018, is seeking compensation for the "economic damages and other actual harm" caused by the breach. This includes potential identity theft, reduced privacy, as well as lowered credit scores from credit inquiries following fraudulent activity.

Citrix's chief digital risk officer Peter Lefkowitz told IT Pro last month the company had learnt its lessons from the breach and would be reviewing password management procedures.

"Certainly the incident that happened, if anything, made us more focused on the topic, and made us look even deeper at everything that we do," Lefkowitz said during the firm's annual Synergy conference hosted in Atlanta, Georgia.

"I think this is going to be an area of really important evolution and an area of experimentation. We'd love to get to a place where we don't have to rely on passwords.

"But until we get there, we're going to have to take a layered approach. We're going to have to do passwords and checking for weak passwords, and checking for burnt passwords, and multi-factor, various sorts of multifactor, logging and monitoring, and controls on the inside."

Senior analyst with Forrester and security expert Paul McKay told IT Pro companies should expect to see more legal action given the raft of new data protection laws that have come into force across Europe and certain states in the US.

"We have seen a similar example here in the UK," McKay said. "Employees took a retail supermarket Morrisons to the High Court and managed to win damages for the employees as they were deemed to have failed in their duty to protect and maintain the security of employee information.

"Class action lawsuits have arisen for many recent US-based breaches, for example, the recent Equifax breach and are currently working their way through the legal processes.

"While these developments are showing that companies are liable to be held accountable and pursued through the legal process to redress potential damages, it is still interesting in the Citrix case that the employee has done so, given the potential risk to themselves in doing so."

McKay added that he would expect further consumer-based action to become almost a standard course of action following a future breach in the US. Employee-based action, however, would be a comparative rarity in comparison.

IT Pro approached Citrix for a statement on the legal action but did not receive a response at the time of writing.

Featured Resources

Managing security risk and compliance in a challenging landscape

How key technology partners grow with your organisation

Download now

Evaluate your order-to-cash process

15 recommended metrics to benchmark your O2C operations

Download now

AI 360: Hold, fold, or double down?

How AI can benefit your business

Download now

Getting started with Azure Red Hat OpenShift

A developer’s guide to improving application building and deployment capabilities

Download now

Recommended

Biden nominees highlight tough cyber security challenges
cyber security

Biden nominees highlight tough cyber security challenges

20 Jan 2021
Report: Security staff excluded from app development
cyber security

Report: Security staff excluded from app development

20 Jan 2021
Best MDM solutions 2020
mobile device management (MDM)

Best MDM solutions 2020

20 Jan 2021
SolarWinds hackers hit Malwarebytes through Microsoft exploit
hacking

SolarWinds hackers hit Malwarebytes through Microsoft exploit

20 Jan 2021

Most Popular

Citrix buys Slack competitor Wrike in record $2.25bn deal
collaboration

Citrix buys Slack competitor Wrike in record $2.25bn deal

19 Jan 2021
How to recover deleted emails in Gmail
email delivery

How to recover deleted emails in Gmail

6 Jan 2021
SolarWinds hackers hit Malwarebytes through Microsoft exploit
hacking

SolarWinds hackers hit Malwarebytes through Microsoft exploit

20 Jan 2021