Citrix has published an official statement to deny allegations that the company’s network was breached by a malicious actor who also claims that he was also able to steal customer information.
The actor is now selling what he claims to be a database with information on 2,000,000 Citrix customers on the dark web, with a price tag of 2.15 bitcoins (roughly $19,700).
“As recently as today, there are reports of Citrix data for sale on the dark web,” Citrix’s CISO Fermin J. Serna says.”Many of these reports today erroneously imply a Citrix compromise.”
Hacker compromised the network of a third party
Serna added that “a threat intelligence report circulated concerning claims made on the dark web by a threat actor alleging compromise of the Citrix network, exfiltration of data, and attempts to escalate privileges to launch a ransomware attack.”
However, as Citrix discovered while investigating these claims, Citrix found no evidence of network compromise but, instead, discovered that the threat actor instead stole data from the breached network of a third party.
“This third party has been cooperative and responsive to our questions and direction, and has taken immediate action to isolate from the internet any Citrix related data they may have,” Serna explains.
“Once that action was complete, the author of the threat intelligence report reported that the threat actor’s unauthorized access was terminated.”
No Citrix customer credentials were stolen
The third-party whose systems were compromised to steal Citrix data has now started its own investigation and is taking remediation measures, keeping Citrix up to date with any findings.
As Serna further explains, the third party’s breach doesn’t equate to Citrix’s network being compromised or customer credentials having been stolen:
- A compromise of this third party’s network does not provide a means into the Citrix network, or a vector for a ransomware attack against Citrix.
- This third party does not possess Citrix source code, highly sensitive intellectual property, or passwords, or other credential information.
- The third party is only in possession of low sensitivity business contact information.
This is not the first time Citrix data was stolen in a data breach with the company finding from the FBI in March 2019 that threat actors were able to gain and maintain access to its networks between October 13, 2018, and March 8, 2019, after hacking their way in using password spraying.
During that time, the hackers were able to exfiltrate sensitive personal info of both current and former employees including names, Social Security numbers, and financial information.
In May 2019, an ex-employee of Citrix filed a class action complaint about damages suffered following the company’s security breach.