Former Xfinity Customer Experienced Fraud After Citrix Data Breach: Class Action

Comcast's Xfinity “waited weeks” to patch its systems against the “Citrix Bleed” vulnerability in the cloud service company’s software that led to an Oct. 10 data breach, said a negligence class action Friday (docket 2:24-cv-00258) against both companies in U.S. District Court for Eastern Pennsylvania in Philadelphia.

The broadband provider disclosed in a Dec. 18 notice that it was the subject of a “massive data breach” in the Citrix NetScaler software and that hackers gained unauthorized access to its networks between Oct. 16 and Oct. 19, the complaint said. As of Oct. 10, Citrix hadn’t noted active exploitation of the vulnerability, it said. By Oct. 18, Mandiant researchers reported the vulnerability was under “active” exploitation and on Oct. 23, Citrix disclosed it was aware of targeted attacks, the complaint said.

Despite knowing about the vulnerability and potential solutions as early as Oct. 10, Xfinity “waited weeks to 'patch’ its systems against this serious vulnerability,” the complaint said. Plaintiff Robert Smith of Delaware, Ohio, a former Xfinity customer, called the delay “catastrophic,” saying Xfinity’s internal systems were accessed by hackers from Oct. 16 to Oct. 19, and it wasn’t until Nov. 16 that the ISP “determined that information was likely acquired,” the complaint said.

Smith, an Xfinity cable TV customer from 2010 to 2013 when he lived in Pittsburgh, had to provide personally identifiable information (PII) to the company as a condition of service, the complaint said. Xfinity shared that information with Citrix through the NetScaler software, it said. Smith received a notification email from Xfinity in December telling him he was a victim of the breach and advising him to take action such as resetting his password and monitoring credit reports for suspicious activity, the complaint said. It also recommended placing a fraud alert and security freeze on his credit report.

Smith experienced fraud on Nov. 11 when an unknown actor tried to open a credit card with JPMorgan Chase under Smith’s account, the complaint said. After receiving an alert from the bank, Smith spent “a considerable amount of time on the phone” with Allstate Identity Protection and Chase to stop the fraudulent activity, it said. Smith suffered emotional distress knowing that his PII “is no longer confidential and can be used for extortion, theft or fraud,” it said.

Though Xfinity said after the breach it “’can’t emphasize enough how seriously’ it is taking this matter and that it takes its responsibility to protect customers’ information seriously,” the provider “should have had robust protections in place to detect and terminate a successful intrusion long before access and exposure of customer data,” the complaint said. Comcast’s and Citrix’ “failure to prevent the breach is inexcusable given their knowledge that they were prime targets for cyberattacks,” it said. The breach affected 35,879,455 current and former Xfinity customers, said the complaint.

The complaint cited a joint cybersecurity advisory co-authored by the National Security Agency, Cybersecurity and Infrastructure Security Agency and FBI “explicitly highlighting" telecommunications and network service provider targeting by cyber actors. The advisory said cyber actors “exploit and access” telecommunications organizations and network service providers through open-source tools, which “allows for the scanning of IP addresses for vulnerabilities.” Once they have gained a foothold, “they identify ‘critical users and infrastructure including systems critical to maintaining the security of authentication, authorization, and accounting,’” it said.

Comcast recognized that risk and cited the possibility of a cyberattack in its 2022 annual report, said the complaint. “A cyber attack, information or security breach, or technology disruption or failure may negatively impact our ability to conduct our business or result in the misuse of confidential information, all of which could adversely affect our business, reputation and results of operations,” it said.

In mid-December 2022, some Xfinity customers reported that their account information had changed, and they couldn’t access their accounts, the complaint said. Unknown threat actors bypassed Xfinity’s two-factor authentication system and set up a secondary email using the one on users’ accounts and then changed their passwords, it said. Despite Xfinity’s representation that it takes the protection of customers’ PII seriously, Xfinity "swept this intrusion under the rug as it 'neither notified customers nor publicly announced the incident,'” the complaint said, citing a Dec. 29, 2022, alert from the New Jersey Cybersecurity & Communications Integration Cell.

Despite publicly available knowledge of continued compromises of PII and despite holding the PII of millions of customers, defendants “failed to use reasonable care in maintaining the privacy and security" of Smith and class members' PII, said the complaint. Had the companies implemented “industry-standard security measures, adequately invested in data security, and promptly ‘patched’ the vulnerabilities, unauthorized parties likely would not have been able to access” their systems, and the breach would have been “much smaller in scope,” it said.

In addition to negligence and negligence per se, Smith asserts claims of breach of contract and implied contract, plus unjust enrichment. He seeks orders requiring the defendants to implement procedures requiring parties with whom they share PII to maintain reasonable industry-standard security measures, including securely deleting Smith’s and class members’ PII when it’s no longer required for business, and to implement their own industry-standard security measures, said the complaint.

Smith seeks compensatory, consequential, general and nominal damages, and he seeks statutory damages, trebled, or punitive damages; disgorgement and restitution of all earnings, compensation and benefits received by the defendants as a result of their unlawful acts; pre- and post-judgment interest; and attorneys’ fees and costs. Citrix is aware of the complaint but doesn't comment on pending litigation, a spokesperson emailed Friday. Comcast didn't comment.