Ex-employee sues Citrix for negligence after 6TB data breach

Lawsuit claims the firm “intentionally, willfully, recklessly or negligently” failed to take measures to protect employee data

Data breach

A former Citrix employee has filed a class-action lawsuit against the virtualisation company for failing to safeguard current and former employees' personal information during a devastating hack disclosed earlier this year.

Attackers made away with employees' and their dependents personal and financial details after infiltrating the firm's systems last year and lingering for up to six months. The volume of data stolen totalled approximately 6TB, and comprised emails, blueprints and other business documents.

Advertisement - Article continues below

But the criminals were only able to compromise this data due to Citrix's own actions and omissions, and a failure to properly protect the personal information of its staff, according to court filings submitted in Florida.

The former employee, Lindsey Howard, alleges the method of entry, known as password-spraying, is a well-known and preventable intrusion tactic. The breach could have been easily prevented, moreover, had the company adopted "industry-standard security protocols".

The company's failures also include not detecting the breach for nearly five months while hackers removed data from its networks.

"The data breach was the inevitable result of Citrix's inadequate approach to data security and the protection of its employees' personal information that it collected during the course of its business," the lawsuit said.

Advertisement
Advertisement - Article continues below

"The deficiencies in Citrix's data security were so significant that the intrusion by the hackers remained undetected for months, and was only revealed to Citrix when it was informed by the FBI.

Advertisement - Article continues below

"Citrix disregarded the rights of plaintiff and class members by intentionally, willfully, recklessly or negligently failing to take adequate and reasonable measures to ensure its data systems were protected."

Howard, who held various roles with the firm between early 2006 and May 2018, is seeking compensation for the "economic damages and other actual harm" caused by the breach. This includes potential identity theft, reduced privacy, as well as lowered credit scores from credit inquiries following fraudulent activity.

Citrix's chief digital risk officer Peter Lefkowitz told IT Pro last month the company had learnt its lessons from the breach and would be reviewing password management procedures.

"Certainly the incident that happened, if anything, made us more focused on the topic, and made us look even deeper at everything that we do," Lefkowitz said during the firm's annual Synergy conference hosted in Atlanta, Georgia.

"I think this is going to be an area of really important evolution and an area of experimentation. We'd love to get to a place where we don't have to rely on passwords.

Advertisement - Article continues below

"But until we get there, we're going to have to take a layered approach. We're going to have to do passwords and checking for weak passwords, and checking for burnt passwords, and multi-factor, various sorts of multifactor, logging and monitoring, and controls on the inside."

Senior analyst with Forrester and security expert Paul McKay told IT Pro companies should expect to see more legal action given the raft of new data protection laws that have come into force across Europe and certain states in the US.

"We have seen a similar example here in the UK," McKay said. "Employees took a retail supermarket Morrisons to the High Court and managed to win damages for the employees as they were deemed to have failed in their duty to protect and maintain the security of employee information.

"Class action lawsuits have arisen for many recent US-based breaches, for example, the recent Equifax breach and are currently working their way through the legal processes.

Advertisement - Article continues below

"While these developments are showing that companies are liable to be held accountable and pursued through the legal process to redress potential damages, it is still interesting in the Citrix case that the employee has done so, given the potential risk to themselves in doing so."

McKay added that he would expect further consumer-based action to become almost a standard course of action following a future breach in the US. Employee-based action, however, would be a comparative rarity in comparison.

IT Pro approached Citrix for a statement on the legal action but did not receive a response at the time of writing.

Featured Resources

Key considerations for implementing secure telework at scale

Identifying the security risks and advanced requirements of a remote workforce

Download now

The State of Salesforce 2020

Your guide to getting the most from Salesforce

Download now

Fast, flexible and compliant e-signatures for global businesses

Be at the forefront of digital transformation with electronic signatures

Download now

Rethink your cybersecurity strategy for the new world

5 steps to secure the enterprise and be fit for a flexible future

Download now
Advertisement
Advertisement

Recommended

Andrew Daniels joins Druva as CIO and CISO
Cloud

Andrew Daniels joins Druva as CIO and CISO

22 Jul 2020
University of California gets fleeced by hackers for $1.14 million
ransomware

University of California gets fleeced by hackers for $1.14 million

30 Jun 2020
Australia announces $1.35 billion investment in cyber security
cyber security

Australia announces $1.35 billion investment in cyber security

30 Jun 2020
CSA and ISSA form cyber security partnership
cloud security

CSA and ISSA form cyber security partnership

30 Jun 2020

Most Popular

How to find RAM speed, size and type
Laptops

How to find RAM speed, size and type

3 Aug 2020
How to use Chromecast without Wi-Fi
Mobile

How to use Chromecast without Wi-Fi

4 Aug 2020
Police use of facial recognition ruled unlawful in the UK
privacy

Police use of facial recognition ruled unlawful in the UK

11 Aug 2020