LoanCare's Delay in Telling Customers About 'Citrix Bleed' Raised Fraud Risk: Suit
The personally identifiable information (PII) of more than 1.3 million individuals was compromised due to a “critical flaw” in Citrix’s NetScaler software, alleged a class action Monday (docket 0:24-cv-60048) in U.S. District Court for Southern Florida in Fort Lauderdale. The suit names Citrix, its customer LoanCare and LoanCare parent company Fidelity National Financial (FNF).
Sign up for a free preview to unlock the rest of this article
Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.
Plaintiff Douglas Newell, a Louisiana resident who received a loan from LoanCare, received a data breach notice from the mortgage company Jan. 3, informing him his PII had been compromised in the breach, including his name, address, Social Security number and loan number, the complaint said.
NetScaler software is designed to facilitate, manage and protect network traffic, said the complaint. Citrix on Oct. 10 announced a “sensitive information disclosure vulnerability” in the NetScaler software suite, known as “Citrix Bleed.” The vulnerability allows hackers to “hijack user sessions” on NetScaler appliances to collect information about the target company’s network and “steal credentials,” it said.
The day of its announcement, Citrix released a patch to fix the Citrix Bleed vulnerability, with additional mitigation steps released Oct. 23, said the complaint. Citrix Bleed had been exploited as a “zero-day vulnerability since at least August,” it said. On Nov. 19, FNF filed a form 8-K, notifying the SEC about the data breach, saying the company determined an unauthorized third party accessed its systems and acquired “certain credentials.” The company was continuing to assess the impact, it said, saying the the breach affected PII of 1.3 million individuals.
On Dec. 12, LoanCare posted a notice about the “data event” on the Maine attorney general’s website, its first public notification of the breach, the complaint said. The mortgage company advised customers to “monitor accounts, obtain freeze credits and/or new credit reports, report identity theft” to the FTC and police and to issue fraud alerts, the complaint said.
Cybersecurity researcher Kevin Beaumont performed scans of Citrix NetScaler appliances linked to FNF’s domain and deduced that FNF applied the Citrix patch Nov. 14, “two weeks after it was made available,” the complaint said. Beaumont said FNF patched the Citrix Bleed “late” and had a “security incident involving a ransomware group.” As a result of LoanCare’s delay between the time it learned of the data breach and its notice to affected customers, the risk of fraud for plaintiff and class members “has been driven even higher,” said the complaint.
Following the data breach, Newell noticed an increase in spam emails, text messages and phone calls, said the complaint. He has had to pay for credit monitoring, identity theft protection and a credit card security plan, the complaint said. He spent two hours searching for fraudulent charges on his accounts and four hours dealing with the breach's consequences, it said.
Newell asserts claims of negligence, breach of implied contract and unjust enrichment. He seeks an order requiring defendants to use “appropriate security controls” consistent with legal and industry standards to protect consumers’ PII from future data breaches. He seeks actual and statutory damages and costs, restitution, disgorgement, lifetime credit monitoring and identity theft insurance, plus pre- and post-judgment interest, attorneys’ fees and legal costs.
In a similar class action in the same court vs. LoanCare and Citrix, plaintiff Shirley Dailey, a Philadelphia resident, alleges the defendants had a duty to adopt reasonable measures to protect her PII from “involuntary disclosure” to third parties. They had obligations under the FTC Act to keep plaintiff’s and class members’ PII confidential and to “protect it from unauthorized access and disclosure," said the complaint (docket 0:24-cv-60038).
Dailey asserts claims of negligence and negligence per se, breach of implied contract and unjust enrichment. She seeks injunctive relief, including requiring defendants from engaging in the wrongful acts described, to encrypt all data collected through the course of business, to purge and destroy PII of plaintiff and class members, and to implement a comprehensive information security program. She seeks actual, compensatory, statutory, nominal and punitive damages, plus attorneys’ fees and costs, said the complaint.
Dailey’s attorney, Jeff Ostrow of Kopelowitz Ostrow, is also representing plaintiffs in other recent data breach class actions against Northwell Health, HCA Healthcare, Foresight Wealth Management and Navy Federal Credit Union. He filed a negligence action vs. Genworth Life Insurance in August involving Progress Software Corp.’s May MOVEit file transfer software data breach.