Comcast Ignored Warnings About Citrix Bleed Vulnerability, Says Complaint
Comcast didn’t heed warnings from Citrix and “numerous other industry experts who were sounding the alarm” about the cloud computing company’s Citrix Bleed vulnerability in two of its network appliances that led to an October data breach, alleged a class action Thursday (docket 2:24-cv-00599) against the two companies in U.S. District Court for Eastern Pennsylvania in Philadelphia. The breach affected some 36 million Comcast Xfinity customers.
Hackers have been exploiting the vulnerability in Citrix’s NetScaler application delivery controller and NetScaler gateway since “at least August,” said the complaint, citing an October Ars Technica article assigning the vulnerability a “severity rating” of 9.8 out of 10. Citrix released a patch for Citrix Bleed on Oct. 10 and recommended that users “kill all active and persistent sessions on affected network appliances, as any sessions hijacked before the update would persist after the update,” the complaint said.
But Comcast “neglected to patch and/or kill all active and persistent sessions on vulnerable appliances for six to nine days, allowing unauthorized cybercriminals to access Comcast’s systems unabated” Oct. 16-19, the complaint said. Over the four days, “cybercriminals infiltrated Comcast’s data systems, exfiltrated massive amounts” of confidential personally identifiable information (PII) “and escaped unscathed,” it said. The hackers likely acquired usernames and hashed passwords, and for some customers, contact information, the last four digits of Social Security numbers, birthdates and secret questions and answers used to secure an account, it said.
Comcast didn’t start notifying data breach victims until Dec. 18, “months after” it initially discovered the breach, said the complaint. Despite the breach's serious nature, the broadband provider didn’t offer any identity theft protection to affected customers “at all,” it said. Instead, Comcast “merely provided a toll-free number" for its incident response provider managing customer notifications and call center support, plus a link for more information, "which merely links back to the Notice itself,” the complaint said.
Comcast knew the severity of the data breach but chose in the notice letter to “ignore and downplay the size and scope” of the incident “by failing to provide the victims with meaningful notice or assistance,” said the complaint. It betrayed the trust customers had in the company when they provided their PII to receive service, it said.
Ralf Werner of Antioch, Tennessee, and class members have suffered and will continue to suffer damages, including monetary losses, lost time, anxiety and emotional distress, said the complaint. They are at increased risk of suffering the loss of the opportunity to control how their PII is used; the diminution in value of and compromise and continuing publication of their PII; out-of-pocket costs associated with the prevention, detection and remediation from identity theft or fraud; delay in receipt of tax refunds; and unauthorized use of their PII, it said.
Werner asserts claims of negligence vs. both defendants; negligence per se for violation of the FTC Act vs. Comcast; breach of implied contract against both defendants; and unjust enrichment, invasion of privacy and violation of the Cable Communications Act vs. Comcast. He seeks on behalf of himself and the class injunctive relief; an order enjoining defendants from further deceptive and unfair practices and making “untrue statements” related to the data breach; and awards of compensatory, exemplary, punitive and statutory damages, plus pre- and post-judgment interest; restitution and damages; and attorneys’ fees and costs. Citrix is aware of the complaint but doesn't comment on pending litigation, a spokesperson emailed Friday. Comcast had no comment.