Security & Fraud

Hackers Had Six-Month Access To Citrix Networks

Hackers Had Six-Month Access To Citrix Networks

Citrix has confirmed that hackers had access to its networks for six months before the breach was discovered, according to reports.

In a letter to California’s attorney general, the virtualization and security software creator revealed the hackers had “intermittent access” to its internal network from October 13, 2018 until March 8, 2019, two days after the FBI alerted the company that it had been breached.

On March 6, 2019, the FBI informed Citrix that the Bureau had reason to believe international cyber criminals gained access to Citrix’s internal network, according to the letter written by Peter Lefkowitz, the company's chief privacy and digital risk officer. "Following receipt of this information, we immediately launched an investigation, which remains ongoing. We currently believe that the cyber criminals had intermittent access to our network between October 13, 2018 and March 8, 2019 and that they removed files from our systems, which may have included files containing information about our current and former employees and, in limited cases, information about beneficiaries and/or dependents. Out of an abundance of caution, we are providing this letter to current and former employees of Citrix to alert them of this incident. We will notify you if your beneficiaries or dependents were impacted."

Lefkowitz added that the company believes the hackers accessed and or removed information about current and former employees, as well as certain beneficiaries and dependents. This information may have included names, Social Security numbers and financial information.

Citrix later revealed in another letter that the attack was probably the result of password spraying, which attackers use to breach accounts via a list of commonly used passwords that aren’t protected with two-factor authentication.

While the news outlet asked Citrix how many staff were sent data breach notification letters, a spokesperson did not immediately comment. But under California law, authorities must be informed of a breach if more than 500 state residents are involved.



Banks, corporates and even regulators now recognize the imperative to modernize — not just digitize —the infrastructures and workflows that move money and data between businesses domestically and cross-border.

Together with Visa, PYMNTS invites you to a month-long series of livestreamed programs on these issues as they reshape B2B payments. Masters of modernization share insights and answer questions during a mix of intimate fireside chats and vibrant virtual roundtables.