Data breaches are on the rise, but are companies that store employee and consumer data on their computer networks doing enough to protect your highly sensitive personal information? If you were to ask current and former employees of Citrix Systems, a Fort Lauderdale-based software corporation, the answer would likely be a resounding “no.”
Both past and present Citrix employees are joining a class action alleging the company failed to protect its computer systems containing employee data from hackers.
In an April 2019, Citrix sent a notice of the data breach to current and former employees, including lead plaintiff Lindsey Howard, a former employee who lives in Coral Springs. The company’s notice explained that “cyber criminals had intermittent access to our network between October 13, 2018, and March 8, 2019, and that they removed files from our systems, which may have included files containing information about our current and former employees and, in limited cases, information about beneficiaries and/or dependents.”
According to Bleeping Computer, court documents allege that international cybercriminals used password spraying attacks to infiltrate the Citrix network. A spraying attack is a method hackers employ to gain access to accounts with commonly used passwords.
Ms. Howard alleges the “data breach was entirely preventable given that password spraying is a well-known tactic of cyber attackers.” The Department of Homeland Security (DHS) has disseminated information about the tactics, techniques, and procedures hackers use in spraying attacks. The DHS also recommends measures cybersecurity professionals can use to mitigate the threat of such an attack. Had Citrix followed the DHS’s recommendations, it would have effectively blocked the attackers from gaining access to the Citrix network, according to the complaint.
Compounding the problem, Citrix failed to use adequate monitoring systems and controls that would have alerted it to an intrusion. Because of these security failures, Citrix didn’t know about the data breach until contacted by the FBI.
The lawsuit states that Ms. Howard seeks damages for Citrix’s failure to “secure and safeguard its current and former employees” … personal information. That information includes names, Social Security numbers, financial information, and other personally identifiable information that Citrix collected as a condition of employment.
Ms. Howard filed the class action in a South Florida federal court accusing Citrix of negligence, violations of the Florida Unfair and Deceptive Trade Practices Act, breach of implied contract, breach of fiduciary duty, and breach of confidence.
Citrix does not say in its notice of data breach how many employees the breach affected, but at the time of the incident, the company employed 8,200 people.
The complaint alleges that because of the data breach, class members “face years of constant surveillance of their financial and personal records, monitoring, and loss of rights.” Employees affected by the breach will continue to incur financial losses due to fraudulent activity on their debit and credit accounts, the lawsuit alleges.
It’s not clear if Citrix will face any state penalties for its cybersecurity failures. Laws and regulations governing network security issues are either nonexistent or weak at best in most states. Regulatory fines, however, would have little meaningful impact on a company that reported net revenues just short of $3 billion last year.
According to Security Boulevard, legislative efforts to boost cybersecurity have resulted in little success. Some companies have made better efforts to protect data, but the number and scope of critical breaches continue to soar – a sure sign that many companies simply aren’t doing enough.
If government regulations don’t prompt the private sector to sufficiently protect employees and consumers from identity theft, financial loss, and other fraud, what will?
In a word, lawsuits. A class action such as the one against Citrix could have the power to hit at the company’s bottom line, which is what matters most.
Security Boulevard notes how cases like the Citrix class action can hold companies accountable for lax security even when no laws have been broken.
“This is big. We are starting to look at the failure to protect data as a traditional legal action as opposed to one requiring specialized legislation for data breaches. This also means that the community has understood the significance of protecting its data and is taking steps to ensure that it is safe; in this case, by suing organizations who do not protect it.”
Beasley Allen lawyer Archie Grubb handles cases involving fraud, including issues involving cybersecurity affecting consumers, the public and employees. If you feel you have a claim of economic loss related to cybersecurity issues, he would like to talk with you.