[BreachExchange] Citrix's $2.3 million settlement offer for employees impacted by data breach approved

Destry Winant destry at riskbasedsecurity.com
Fri Jan 29 10:36:18 EST 2021


https://www.zdnet.com/article/citrix-agrees-to-2-3-million-settlement-for-employees-impacted-by-data-breach/

Citrix employees impacted by a data breach that resulted in the theft
of their data have secured a $2.275 million settlement.

The settlement, first agreed in June 2020, has now met with the
approval of Judge Ron Altman, as reported by Bloomberg Law.

This week, the judge issued preliminary approval for the settlement
figure in the US District Court for the Southern District of Florida.

The class-action lawsuit, involving roughly 24,300 members, will be
settled in return for Citrix providing the $2.275 million fund, usable
for credit monitoring services, ID theft recovery, and up to $15,000
in reimbursement for expenses and loss per claimant.

Citrix disclosed the data breach in March 2019 after being alerted by
the FBI of a possible network intrusion. Cyberattackers had
infiltrated the software giant's internal servers for a period of
roughly five months between 2018 and 2019.

The company said that the threat actors had "intermittent access" to
corporate resources and that that password spraying was the likely
method in which access to Citrix systems was obtained.

Password spraying takes advantage of weak credentials and is a common
method to compromise both corporate and personal accounts.

Citrix employees were embroiled in the security incident. In a letter
(.PDF) sent to those thought to be impacted -- including staff,
contractors, interns, job candidates, beneficiaries, and dependents --
the company said their personal data may have been stolen.

This may have included PII, Social Security numbers, passport numbers,
limited health insurance data, driver's licenses, and financial
account information such as payment card numbers.

A hearing over Zoom is set for June 10, 2021, where the settlement may
be finalized.

ZDNet has reached out to Citrix and will update when we hear back.


More information about the BreachExchange mailing list