Data Breach 'Critical in Nature,' Says Class Action vs. Citrix and Comcast
Comcast and Citrix have the resources “to take seriously the obligation” to protect customers’ personally identifiable information (PII), but they “failed to invest the time or resources necessary to protect the PII” of Raymond Goodrow and class members who are victims of Citrix’s October data breach, said a class action Wednesday (docket 0:24-cv-60100) in U.S. District Court for Southern Florida in Fort Lauderdale.
The data breach, resulting from the “Citrix Bleed” vulnerability in a software product used by Comcast and other companies, compromised the names, mailing addresses, phone numbers, dates of birth, partial Social Security numbers, usernames, encrypted passwords and security question prompts and responses of Goodrow, a South Deerfield, Massachusetts, resident, and class members, the complaint said. Security researchers called the vulnerability “critical in nature,” said the complaint, citing a Nov. 14 TechCrunch article.
Goodrow learned of the breach in a Dec. 18 notice of data security incident letter Comcast mailed to customers informing him data thieves were able to access and obtain his PII on or about Oct. 10, the complaint said. The internet service provider also posted a copy of the notice on its website, but it failed to provide basic details on how unauthorized parties accessed Goodrow’s PII, which Citrix product contained the vulnerability and whether the breach was systemwide or limited to a subset of customers, it said.
Comcast learned on Oct. 25 that cybercriminals received “unauthorized access to and possession of" Goodrow's PII and concluded Dec. 6 the nature of the stolen information, the complaint said. Comcast’s notice said its “data analysis is continuing,” the complaint said, and that it will provide “additional notices as appropriate,” it said. That indicates that the data Comcast alleges was stolen in the breach “should not, in fact, be taken as a whole and definitive list at this time,” it said.
Citrix didn’t release patches for the vulnerability until October, though Google’s Mandiant cybersecurity group said hackers had been “exploiting the Citrix Bleed since at least August to break into systems,” the complaint said, citing an Oct. 31 blog post. Citrix didn’t provide “meaningful notice” to Goodrow or tell him what steps were taken to mitigate the risk of subsequent cyberattacks and further harm, it said.
As a result of the breach of data Goodrow was required to provide to receive Comcast service, he has suffered lost time, annoyance, inconvenience and emotional distress, the complaint said. He is also at heightened risk for financial and medical fraud and identity theft for years to come, it said.
Goodrow asserts claims of negligence and negligence per se, breach of implied contract and third-party beneficiary contract, and unjust enrichment, said the complaint. He seeks for himself and class members damages, restitution, and declaratory and injunctive relief, it said. He also seeks attorneys’ fees and legal costs, plus pre- and post-judgment interest.
Comcast and Citrix shouldn’t be permitted to retain money belonging to Goodrow and class members because they failed to adequately implement the data privacy and security practices customers paid for and that were mandated by federal, state and local laws, and industry standards, the complaint said. The defendants should be compelled to “disgorge into a common fund” for the benefit of Goodrow and class members all “unlawful or inequitable proceeds” they received, and a “constructive trust should be imposed upon all unlawful or inequitable sums” the defendants received traceable to the plaintiff and class members, it said.
Goodrow’s class action is the third filed by attorney Jeff Ostrow of Kopelowitz Ostrow against Citrix related to the October data breach, court records show. Comcast and Citrix didn't comment Thursday.