Citrix, one of the top Software as a Service, remote workspace, cloud services companies is being sued by its employees for a data breach. The Florida lawsuit was filed on May 30, and alleges that cyber criminals accessed employees' personally identifiable information (PII).
Citrix creates software that allows individuals to work and collaborate remotely regardless of device or network. Citrix is probably the biggest player in this market.
According to the Complaint, on March 8, 2019, Citrix disclosed that international cyber criminals had gained access to the internal Citrix network. These criminals had access to Citrix’s internal networks from October 13, 2018 to March 8, 2019.
The named plaintiffs allege that the international cyber criminals were able to gather information on employees and their dependents including, but not limited to, their social security numbers, names, addresses, employment evaluations, tax information, brokerage and banking account numbers, as well as other sensitive data.
For the cyber geeks, the interesting allegation is that the cyber criminals used a technique called “Password Spraying,” which involves using a master list of password combinations, to overwhelm a security system. Using this method criminals basically guess password and username combinations to gain unauthorized access to networks
Losing Battle
According to Scott Ikeda at CPO Magazine, the Citrix data breach is thought to have been perpetrated by an Iranian hacking group called IRIDIUM. These international cyber criminals specialize in attacking foreign nations.
This data breach should highlight how vulnerable private companies are to cyber incidents.
Consider this, Citrix has over 400,000 clients worldwide, including 99% of the Fortune 100 companies. The software company provides cloud services to the U.S. military and is one of the Department of Defense’s approved vendors.
This may have been a simple oversight where Citrix did not subject its employee's PII to the same level of security that it provides to customers. But, if cyber criminals can compromise Citrix, what chance do small and medium size businesses, that are not tech companies, have against cyber criminals.
I've always said that every company has to become digital. Like everything in life, however, there are pros and cons. Moving to digital platforms is necessary, but there are risks, such as data breaches. In my humble opinion, the pros outweigh the cons. We just need to out-innovate the bad guys . . . hopefully.
~ Florida Cyber Lawyer, Robert Stines, Esq., CIPP
