The cybercriminals who breached Citrix's network for nearly five months may have accessed and removed Social Security numbers and financial information for current and ex-employees.
The software company said that, in limited cases, the adversaries might have also captured the names, Social Security numbers and financial data for the beneficiaries and dependents of Citrix employees, according to a breach notice filed this week with the California Attorney General's office.
"We deeply regret that this incident occurred and take the security of employee information seriously," Peter Lefkowitz, Citrix's chief privacy and digital risk officer, wrote in the notice.
Citrix believes the cybercriminals had intermittent access to the company's network between 13 October 2018, and 8 March 2019. In the weeks following the discovery of the breach, Citrix said it and outside security experts took measures to expel the bad actors from its systems and prevent future cybercriminals from entering the network through a similar mechanism.
The FBI first informed Citrix March 6 that it had reason to believe that international cybercriminals had gained access to Citrix's internal network. The company's forensic security experts subsequently confirmed that the malicious actors had removed files from Citrix's internal systems that included information about current and employee employees, as well as certain beneficiaries and dependents.
Citrix first disclosed the hack in a 8 March 2019 blog post by chief security and information officer Stan Black. The company hasn't indicated how many individuals were affected by the breach, and didn't immediately respond to a request for additional comment.
Company employees will be allowed to enroll in Equifax ID Patrol — a complimentary one-year credit monitoring, dark web monitoring, and identity restoration service — in countries where it is available, Citrix said. Where possible, Citrix said Equifax benefits will also be made available to beneficiaries and dependents who had their information compromised as part of the breach.
Following receipt of the information from the FBI, Citrix said it immediately launched an investigation, engaged leading cybersecurity firms for assistance, and cooperated with law enforcement in connection with their own investigation into the cybercrminals. Citrix is monitoring for signs of further activity, but to date hasn't found any indication that the security of any Citrix product or service was compromised.
"We have taken steps to address issues that could have contributed to this situation, and we are invested in resources and technology to improve our internal security going forward," Citrix wrote in an employee FAQ filed as part of the breach notice.
The threat actors likely entered Citrix's network via password spraying, according to an 4 April blog post by Eric Armstrong, the company's vice president of corporate communications. In password spraying, the threat actor seeks to access as many accounts as possible by attempting login with the most commonly used passwords.
In addition to expelling the threat actors from Citrix's systems, Armstrong said the company performed a forced password reset throughout its corporate network and improved internal password management protocols. The investigation is a complex and dynamic process, Armstrong said, and is still ongoing.
"It is difficult to predict how long an investigation like this will take," Armstrong said. "We are going to continue to follow all indicators of suspicious activity to ensure we have thoroughly addressed the incident."