Ex-employee sues Citrix for negligence after 6TB data breach

Lines of code on a computer screen
(Image credit: Shutterstock)

A former Citrix employee has filed a class-action lawsuit against the virtualisation company for failing to safeguard current and former employees' personal information during a devastating hack disclosed earlier this year.

Attackers made away with employees' and their dependents personal and financial details after infiltrating the firm's systems last year and lingering for up to six months. The volume of data stolen totalled approximately 6TB, and comprised emails, blueprints and other business documents.

But the criminals were only able to compromise this data due to Citrix's own actions and omissions, and a failure to properly protect the personal information of its staff, according to court filings submitted in Florida.

The former employee, Lindsey Howard, alleges the method of entry, known as password-spraying, is a well-known and preventable intrusion tactic. The breach could have been easily prevented, moreover, had the company adopted "industry-standard security protocols".

The company's failures also include not detecting the breach for nearly five months while hackers removed data from its networks.

"The data breach was the inevitable result of Citrix's inadequate approach to data security and the protection of its employees' personal information that it collected during the course of its business," the lawsuit said.

"The deficiencies in Citrix's data security were so significant that the intrusion by the hackers remained undetected for months, and was only revealed to Citrix when it was informed by the FBI.

"Citrix disregarded the rights of plaintiff and class members by intentionally, willfully, recklessly or negligently failing to take adequate and reasonable measures to ensure its data systems were protected."

Howard, who held various roles with the firm between early 2006 and May 2018, is seeking compensation for the "economic damages and other actual harm" caused by the breach. This includes potential identity theft, reduced privacy, as well as lowered credit scores from credit inquiries following fraudulent activity.

Citrix's chief digital risk officer Peter Lefkowitz told IT Pro last month the company had learnt its lessons from the breach and would be reviewing password management procedures.

"Certainly the incident that happened, if anything, made us more focused on the topic, and made us look even deeper at everything that we do," Lefkowitz said during the firm's annual Synergy conference hosted in Atlanta, Georgia.

"I think this is going to be an area of really important evolution and an area of experimentation. We'd love to get to a place where we don't have to rely on passwords.

"But until we get there, we're going to have to take a layered approach. We're going to have to do passwords and checking for weak passwords, and checking for burnt passwords, and multi-factor, various sorts of multifactor, logging and monitoring, and controls on the inside."

Senior analyst with Forrester and security expert Paul McKay told IT Pro companies should expect to see more legal action given the raft of new data protection laws that have come into force across Europe and certain states in the US.

"We have seen a similar example here in the UK," McKay said. "Employees took a retail supermarket Morrisons to the High Court and managed to win damages for the employees as they were deemed to have failed in their duty to protect and maintain the security of employee information.

"Class action lawsuits have arisen for many recent US-based breaches, for example, the recent Equifax breach and are currently working their way through the legal processes.

"While these developments are showing that companies are liable to be held accountable and pursued through the legal process to redress potential damages, it is still interesting in the Citrix case that the employee has done so, given the potential risk to themselves in doing so."

McKay added that he would expect further consumer-based action to become almost a standard course of action following a future breach in the US. Employee-based action, however, would be a comparative rarity in comparison.

IT Pro approached Citrix for a statement on the legal action but did not receive a response at the time of writing.

Keumars Afifi-Sabet

Keumars Afifi-Sabet is a writer and editor that specialises in public sector, cyber security, and cloud computing. He first joined ITPro as a staff writer in April 2018 and eventually became its Features Editor. Although a regular contributor to other tech sites in the past, these days you will find Keumars on LiveScience, where he runs its Technology section.