In a letter to California’s attorney general, the virtualization and security software creator revealed the hackers had “intermittent access” to its internal network from October 13, 2018 until March 8, 2019, two days after the FBI alerted the company that it had been breached.
On March 6, 2019, the FBI informed Citrix that the Bureau had reason to believe international cyber criminals gained access to Citrix’s internal network, according to the letter written by Peter Lefkowitz, the company's chief privacy and digital risk officer. "Following receipt of this information, we immediately launched an investigation, which remains ongoing. We currently believe that the cyber criminals had intermittent access to our network between October 13, 2018 and March 8, 2019 and that they removed files from our systems, which may have included files containing information about our current and former employees and, in limited cases, information about beneficiaries and/or dependents. Out of an abundance of caution, we are providing this letter to current and former employees of Citrix to alert them of this incident. We will notify you if your beneficiaries or dependents were impacted."
Lefkowitz added that the company believes the hackers accessed and or removed information about current and former employees, as well as certain beneficiaries and dependents. This information may have included names, Social Security numbers and financial information.
Citrix later revealed in another letter that the attack was probably the result of password spraying, which attackers use to breach accounts via a list of commonly used passwords that aren’t protected with two-factor authentication.
While the news outlet asked Citrix how many staff were sent data breach notification letters, a spokesperson did not immediately comment. But under California law, authorities must be informed of a breach if more than 500 state residents are involved.