Firm only found out it’s core internal systems had been hacked after the FBI contacted them
The scale of a serious data breach at connectivity specialist Citrix earlier this year is becoming clearer after the firm opened up about the attack in a letter to the California Attorney General.
In March this year Citrix blogged that it was informed by the FBI of an intrusion on Citrix’s internal servers by foreign hackers (thought to be Iranian) who managed to obtain internal business documents.
But the letter to the California AG has revealed the breach was more serious than first thought, and that the hackers had unfettered access to Citrix’s internal servers for six months.
“On March 6, 2019, the FBI informed Citrix that the FBI had reason to believe that international cyber criminals gained access to Citrix’s internal network,” said the letter.
“Following receipt of this information, we immediately launched an investigation, which remains ongoing,” it wrote. “ We currently believe that the cyber criminals had intermittent access to our network between October 13, 2018 and March 8, 2019and that they removed files from our systems, which may have included files containing information about our current and former employees and, in limited cases, information about beneficiaries and/or dependents.”
Staff data that was stolen includes names, social security numbers, and financial information.
So not only did Citrix need to be told by the FBI that it had been hacked, but the hackers had six months access to its systems.
Citrix said in the letter it has “engaged leading cyber security firms to assist our internal team with its forensic investigation,” and it is co-operating with the FBI.
“We have taken measures that we believe are designed to remove the cyber criminals’ access to our systems, and we are monitoring for signs of further activity or compromise,” it admitted.
The firm also said that it had hired Equifax to help affected staff with a one year credit monitoring, dark web monitoring, and identity restoration service.
Equifax said that it was able to identify approximately 2.4 million US consumers whose names and partial driver’s license information had been stolen.
This was in addition to the 146 million US consumers, as well as nearly 700,000 UK consumers, that had their data stolen.
Other compromised personal data includes 146.6 million names, 146.6 million dates of birth, 145.5 million social security numbers, 99 million address information and 209,000 payment card number and expiration dates.
Do you know all about security? Try our quiz!