Citrix employees win $2.3m settlement over 2019 data breach

The cyber attack resulted in the loss of 6TB worth of data

A group of current and former Citrix employees who had their data stolen in a 2019 data breach have managed to secure a $2.28million (£1.66M) settlement in court.

The unopposed motion, which was first agreed in June 2020, has been preliminarily approved by a Florida federal judge Ron Altman.

The $2.275 million settlement is to provide approximately 24,316 victims of the data breach, which included Citrix employees, contractors, interns, job candidates, beneficiaries, and dependents. The funds are to be used for up to five years of credit monitoring services, identity theft recovery, as well as up to $15,000 (£11,000) in reimbursement for expenses and losses per claimant.

The class action lawsuit is to be finalised over a Zoom hearing scheduled for 10 June 2021.

The major cyber attack, which was first reported in March 2019, resulted in the loss of 6TB worth of data including emails, blueprints and other business documents. Citrix, which has clients including businesses, the American military and government departments, announced that the incident had been brought to their attention by the FBI days earlier.

However, cyber security firm Resecurity claimed to have first alerted Citrix to early warning signs of a breach as early as 28 December 2018, and since then has continued to present its findings to the FBI. This means that attackers had been lingering in Citrix’s systems for around five months.

The attack was attributed to the Iranian hacking group IRIDIUM which, according to Citrix, used a password spraying technique to establish an initial foothold before circumventing further security layers.

Following the incident, Citrix's chief digital risk officer Peter Lefkowitz told IT Pro that the company had learnt its lessons from the breach and would be reviewing password management procedures.

However, this didn’t prevent the victims from seeking legal action. In June 2019, former employee Lindsey Howard filed a class action lawsuit accusing Citrix of “intentionally, willfully, recklessly or negligently” failing to take measures to protect employee data.

"The data breach was the inevitable result of Citrix's inadequate approach to data security and the protection of its employees' personal information that it collected during the course of its business," the lawsuit said.

Featured Resources

Unlocking collaboration: Making software work better together

How to improve collaboration and agility with the right tech

Download now

Four steps to field service excellence

How to thrive in the experience economy

Download now

Six things a developer should know about Postgres

Why enterprises are choosing PostgreSQL

Download now

The path to CX excellence for B2B services

The four stages to thrive in the experience economy

Download now

Recommended

Mastering endpoint security implementation
Security

Mastering endpoint security implementation

16 Apr 2021
US, UK say Russia was behind SolarWinds hack
cyber attacks

US, UK say Russia was behind SolarWinds hack

16 Apr 2021
1Password targets enterprise customers with Secrets Automation
IT infrastructure

1Password targets enterprise customers with Secrets Automation

14 Apr 2021
PowerShell threats increased over 200% last year
cyber security

PowerShell threats increased over 200% last year

14 Apr 2021

Most Popular

Microsoft is submerging servers in boiling liquid to prevent Teams outages
data centres

Microsoft is submerging servers in boiling liquid to prevent Teams outages

7 Apr 2021
University of Hertfordshire's entire IT system offline after cyber attack
cyber attacks

University of Hertfordshire's entire IT system offline after cyber attack

15 Apr 2021
NSA uncovers new "critical" flaws in Microsoft Exchange Server
servers

NSA uncovers new "critical" flaws in Microsoft Exchange Server

14 Apr 2021