Ex-employee sues Citrix for negligence after 6TB data breach

Lawsuit claims the firm “intentionally, willfully, recklessly or negligently” failed to take measures to protect employee data

Data breach

A former Citrix employee has filed a class-action lawsuit against the virtualisation company for failing to safeguard current and former employees' personal information during a devastating hack disclosed earlier this year.

Attackers made away with employees' and their dependents personal and financial details after infiltrating the firm's systems last year and lingering for up to six months. The volume of data stolen totalled approximately 6TB, and comprised emails, blueprints and other business documents.

But the criminals were only able to compromise this data due to Citrix's own actions and omissions, and a failure to properly protect the personal information of its staff, according to court filings submitted in Florida.

The former employee, Lindsey Howard, alleges the method of entry, known as password-spraying, is a well-known and preventable intrusion tactic. The breach could have been easily prevented, moreover, had the company adopted "industry-standard security protocols".

Advertisement - Article continues below
Advertisement - Article continues below

The company's failures also include not detecting the breach for nearly five months while hackers removed data from its networks.

"The data breach was the inevitable result of Citrix's inadequate approach to data security and the protection of its employees' personal information that it collected during the course of its business," the lawsuit said.

"The deficiencies in Citrix's data security were so significant that the intrusion by the hackers remained undetected for months, and was only revealed to Citrix when it was informed by the FBI.

"Citrix disregarded the rights of plaintiff and class members by intentionally, willfully, recklessly or negligently failing to take adequate and reasonable measures to ensure its data systems were protected."

Howard, who held various roles with the firm between early 2006 and May 2018, is seeking compensation for the "economic damages and other actual harm" caused by the breach. This includes potential identity theft, reduced privacy, as well as lowered credit scores from credit inquiries following fraudulent activity.

Citrix's chief digital risk officer Peter Lefkowitz told IT Pro last month the company had learnt its lessons from the breach and would be reviewing password management procedures.

Advertisement - Article continues below

"Certainly the incident that happened, if anything, made us more focused on the topic, and made us look even deeper at everything that we do," Lefkowitz said during the firm's annual Synergy conference hosted in Atlanta, Georgia.

"I think this is going to be an area of really important evolution and an area of experimentation. We'd love to get to a place where we don't have to rely on passwords.

"But until we get there, we're going to have to take a layered approach. We're going to have to do passwords and checking for weak passwords, and checking for burnt passwords, and multi-factor, various sorts of multifactor, logging and monitoring, and controls on the inside."

Senior analyst with Forrester and security expert Paul McKay told IT Pro companies should expect to see more legal action given the raft of new data protection laws that have come into force across Europe and certain states in the US.

Advertisement - Article continues below

"We have seen a similar example here in the UK," McKay said. "Employees took a retail supermarket Morrisons to the High Court and managed to win damages for the employees as they were deemed to have failed in their duty to protect and maintain the security of employee information.

"Class action lawsuits have arisen for many recent US-based breaches, for example, the recent Equifax breach and are currently working their way through the legal processes.

Advertisement - Article continues below

"While these developments are showing that companies are liable to be held accountable and pursued through the legal process to redress potential damages, it is still interesting in the Citrix case that the employee has done so, given the potential risk to themselves in doing so."

McKay added that he would expect further consumer-based action to become almost a standard course of action following a future breach in the US. Employee-based action, however, would be a comparative rarity in comparison.

IT Pro approached Citrix for a statement on the legal action but did not receive a response at the time of writing.

Featured Resources

How inkjet can transform your business

Get more out of your business by investing in the right printing technology

Download now

Journey to a modern workplace with Office 365: which tools and when?

A guide to how Office 365 builds a modern workplace

Download now

Modernise and transform your sales organisation

Learn how a modernised sales process can drive your business

Download now

Your guide to managing cloud transformation risk

Realise the benefits. Mitigate the risks

Download now


internet security

Avast and AVG extensions pulled from Chrome

19 Dec 2019

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019

Most Popular

cloud computing

Google Cloud snaps up multi-cloud analytics platform for $2.6bn

13 Feb 2020

How to use Chromecast without Wi-Fi

5 Feb 2020
operating systems

How to fix a stuck Windows 10 update

12 Feb 2020
cyber attacks

Apple Mac malware detections overtake Windows the first time

11 Feb 2020