Communications Litigation Today was a Warren News publication.
12 Unauthorized Charges

Xfinity Customers Blame Fraudulent Account Activity on Citrix Data Breach

January 16, 2024 by Rebecca Day|Top News

Two of three plaintiffs in a negligence lawsuit against cloud computing company Citrix have experienced identity theft as a result of the company's Oct. 10 data breach, they alleged in a class action Wednesday (docket 0:24-cv-60070) in U.S. District Court for Southern Florida in Fort Lauderdale.

Plaintiffs Michelle Birnie of Key Largo, Florida, Charolet Fail of Sebring, Florida and Lauren Wilkinson of Reading, Pennsylvania, alleged Citrix was negligent in the October breach that was the “direct result” of its "Citrix Bleed" security vulnerability that compromised the personally identifiable information (PII) of over 35 million customers.

Citrix announced the vulnerability Oct. 10 and issued a patch; it issued more “mitigation guidance” Oct. 25, said the complaint. Xfinity said it “promptly installed the patch and mitigated its systems,” the complaint said, but hackers exploited the vulnerability Oct.16-19 and stole PII of Xfinity customers, it said.

The “treasure trove” of PII hackers stole included usernames and “hashed passwords,” names, contact information, the last four digits of Social Security numbers, dates of birth, and security questions and answers, the complaint said. Xfinity first informed its customers of the breach in December.

On Dec. 30, Birnie received a text message from Xfinity telling her to change her password, followed by a letter Jan. 4 saying her PII was compromised, the complaint said. Since Dec. 19, Birnie has experienced identity theft, it said. An unauthorized person attempted to purchase flights from Kuala Lumpur, Malaysia, for $432 on three booking websites using her debit card information, the complaint said. She received login attempts for her Amazon account “about every two minutes” while on the phone with her bank and had to change all her passwords for her Xfinity, Amazon and financial accounts, it said.

Fail received a letter from Xfinity on Jan. 3 about compromised PII, after a dozen unauthorized charges were made against her checking account November-January, said the complaint. The charges weren’t flagged by her bank because they appeared as Xfinity charges, the complaint said. Fail was able to get the charges reversed, except for two in the amounts of $154.73 and $277.22, but the unauthorized charges triggered 15 overdraft charges totaling $450, it said. Fail continues to work with the bank to resolve the unauthorized charges, it said.

Wilkinson received notice from Xfinity that her PII was compromised when she logged into her account on Jan. 4, the complaint said. As a result of the breach, she has spent time and effort monitoring her financial and online accounts “to detect and prevent any fraudulent or suspicious activity,” it said.

The Citrix Bleed security vulnerability in the cloud computing company’s NetScaler application delivery controller and NetScaler gateway is “particularly dangerous” because it allows unauthorized third parties to bypass multifactor authentication, “hijack legitimate user sessions and acquire elevated permissions to harvest credentials, move laterally within the subject network, and access data and resources,” the complaint said.

Citrix is “well aware of the risks associated with failing to adequately protect against security vulnerabilities,” said the complaint, citing the company’s form 10-K for the year ended Dec. 21, 2021, acknowledging that “service vulnerabilities could result in loss of and/or unauthorized access to confidential information.”

In December 2019, Citrix discovered another vulnerability in application delivery and security products “that would have allowed an unauthenticated attacker to perform arbitrary code execution,” the complaint said, citing the annual report. In the filing, Citrix said its response to that vulnerability “required significant investment of resources across the company.”

Citrix’ NetScaler provides remote access infrastructure that allows an entity to securely manage remote access to its networks; 75% of internet users “rely on NetScaler every day,” and 90% of Fortune 500 companies use it, the complaint said. The Citrix Bleed vulnerabilities have been connected to several cyberattacks, including ones against Boeing and Toyota, said the complaint.

The vulnerabilities are said to be “easy to exploit,” the complaint said. Though Citrix issued a “purported fix” Oct. 10, it didn’t issue mitigation guidance warning its customers to download the patches immediately until Oct. 23, it said. “Despite the fix, mitigation guidance, and installation of the patches, hackers have been nevertheless able to attack numerous organizations,” it said. From Oct. 16 to Oct. 19, hackers “gained unfettered access to Xfinity’s systems by exploiting Citrix Bleed,” said the complaint.

In addition to negligence and negligence per se, the complaint alleges violation of the Florida Unfair and Deceptive Trade Practices Act, the complaint said. Plaintiffs seek orders requiring Citrix to implement security testing procedures; an injunction requiring it to safeguard its networks and plaintiffs’ and class members’ PII; awards of compensatory, statutory and punitive damages; pre- and post-judgment interest; and attorneys’ fees and costs. Citrix doesn't comment on pending litigation, a spokesperson emailed Friday.