Ex-employee sues Citrix for negligence after 6TB data breach

Lawsuit claims the firm “intentionally, willfully, recklessly or negligently” failed to take measures to protect employee data

Data breach

A former Citrix employee has filed a class-action lawsuit against the virtualisation company for failing to safeguard current and former employees' personal information during a devastating hack disclosed earlier this year.

Attackers made away with employees' and their dependents personal and financial details after infiltrating the firm's systems last year and lingering for up to six months. The volume of data stolen totalled approximately 6TB, and comprised emails, blueprints and other business documents.

But the criminals were only able to compromise this data due to Citrix's own actions and omissions, and a failure to properly protect the personal information of its staff, according to court filings submitted in Florida.

The former employee, Lindsey Howard, alleges the method of entry, known as password-spraying, is a well-known and preventable intrusion tactic. The breach could have been easily prevented, moreover, had the company adopted "industry-standard security protocols".

The company's failures also include not detecting the breach for nearly five months while hackers removed data from its networks.

"The data breach was the inevitable result of Citrix's inadequate approach to data security and the protection of its employees' personal information that it collected during the course of its business," the lawsuit said.

"The deficiencies in Citrix's data security were so significant that the intrusion by the hackers remained undetected for months, and was only revealed to Citrix when it was informed by the FBI.

"Citrix disregarded the rights of plaintiff and class members by intentionally, willfully, recklessly or negligently failing to take adequate and reasonable measures to ensure its data systems were protected."

Howard, who held various roles with the firm between early 2006 and May 2018, is seeking compensation for the "economic damages and other actual harm" caused by the breach. This includes potential identity theft, reduced privacy, as well as lowered credit scores from credit inquiries following fraudulent activity.

Citrix's chief digital risk officer Peter Lefkowitz told IT Pro last month the company had learnt its lessons from the breach and would be reviewing password management procedures.

"Certainly the incident that happened, if anything, made us more focused on the topic, and made us look even deeper at everything that we do," Lefkowitz said during the firm's annual Synergy conference hosted in Atlanta, Georgia.

"I think this is going to be an area of really important evolution and an area of experimentation. We'd love to get to a place where we don't have to rely on passwords.

"But until we get there, we're going to have to take a layered approach. We're going to have to do passwords and checking for weak passwords, and checking for burnt passwords, and multi-factor, various sorts of multifactor, logging and monitoring, and controls on the inside."

Senior analyst with Forrester and security expert Paul McKay told IT Pro companies should expect to see more legal action given the raft of new data protection laws that have come into force across Europe and certain states in the US.

"We have seen a similar example here in the UK," McKay said. "Employees took a retail supermarket Morrisons to the High Court and managed to win damages for the employees as they were deemed to have failed in their duty to protect and maintain the security of employee information.

"Class action lawsuits have arisen for many recent US-based breaches, for example, the recent Equifax breach and are currently working their way through the legal processes.

"While these developments are showing that companies are liable to be held accountable and pursued through the legal process to redress potential damages, it is still interesting in the Citrix case that the employee has done so, given the potential risk to themselves in doing so."

McKay added that he would expect further consumer-based action to become almost a standard course of action following a future breach in the US. Employee-based action, however, would be a comparative rarity in comparison.

IT Pro approached Citrix for a statement on the legal action but did not receive a response at the time of writing.

Featured Resources

Choosing a collaboration platform

Eight questions every IT leader should ask

Download now

Performance benchmark: PostgreSQL/ MongoDB

Helping developers choose a database

Download now

Customer service vs. customer experience

Three-step guide to modern customer experience

Download now

Taking a proactive approach to cyber security

A complete guide to penetration testing

Download now

Recommended

Geico data breach leads to stolen driver’s license numbers
data breaches

Geico data breach leads to stolen driver’s license numbers

21 Apr 2021
UK’s IoT security regulation will also include smartphones
Internet of Things (IoT)

UK’s IoT security regulation will also include smartphones

21 Apr 2021
eBay, Apple, Microsoft, Facebook, and Google were phishers’ top targets in 2020
phishing

eBay, Apple, Microsoft, Facebook, and Google were phishers’ top targets in 2020

20 Apr 2021
Mastering endpoint security implementation
Security

Mastering endpoint security implementation

16 Apr 2021

Most Popular

How to find RAM speed, size and type
Laptops

How to find RAM speed, size and type

8 Apr 2021
Microsoft is submerging servers in boiling liquid to prevent Teams outages
data centres

Microsoft is submerging servers in boiling liquid to prevent Teams outages

7 Apr 2021
REvil threatens to release Apple’s hardware schematics
ransomware

REvil threatens to release Apple’s hardware schematics

21 Apr 2021