Xfinity Should Have Known PII Was at Risk Due to 'Citrix Bleed': Class Action

The plaintiffs and class members seek $35 billion in statutory damages. The lawsuit doesn’t name Citrix.

Plaintiffs H. Joshua Diamond and Lori Zinn, of Miami-Dade County, and Robert Elson, of Leon County, are among the 500,000 “Customer Relationships” that Comcast had in Miami as of Dec. 31, 2022, said the complaint, citing the most recent annual report. Xfinity’s cable distribution system uses an “HFC cable network that [it] believe[s] is sufficiently flexible and scalable to support [its] future technology requirements and enables [it] to continue to grow capacity and capabilities over time,” said the complaint, citing the form 10-K.

At some point prior to Oct. 10, “it became known that the software provided by Citrix to Xfinity was subject to a vulnerability” referenced as CVE-2023-4966, said the complaint. The Citrix Bleed affects its NetScaler ADC and NetScaler Gateway, commonly used Citrix devices in large organizations, said the complaint. The affected products have a “buffer overflow vulnerability” that allows for sensitive information to be disclosed when configured in certain ways, it said.

Prior to Oct. 10, Citrix “advised customers using NetScaler ADC and NetScaler Gateway that they should install updated networking product versions to prevent the exploitation of their vulnerabilities,” said the complaint. Apart from any notification Citrix provided, “at all times prior” to Oct. 10, Xfinity “knew or should have known of this and other potential vulnerabilities that posed substantial risks to their systems and the safeguarding of subscriber PII,” said the complaint.

Xfinity also knew or should have known that “the use and continued reliance on old, stale and outdated or long-used software was too far below the state of the art necessary for a business of its kind that is a target for the most sophisticated cyber criminals,” said the complaint. Exploitation of the Citrix Bleed could allow for the disclosure of sensitive information, including “session authentication token information that may allow a threat actor to ‘hijack’ a user’s session,” the complaint said.

The Citrix Bleed “was previously exploited to deploy LockBit 3.0 ransomware and had been under ‘active exploitation’" by cybercriminals since at least August, the complaint said. Prior to Oct. 10, the Citrix Bleed “was discoverable using ordinary care,” including via monitoring leaked information on the dark web, it said.

When Citrix announced the existence of the vulnerability on Oct. 10, it issued “remedial guidance and a patchwork protocol so that businesses using its software, like Xfinity, could immediately mitigate the risk posed by the Citrix Bleed to their systems,” the complaint said.

On and after Oct. 10, Xfinity “failed timely to implement necessary cybersecurity practices with respect to the known, potential compromise of its systems, including failing to immediately patch and/or perform the remedial guidance and patchwork protocols provided by Citrix,” the complaint said. It also failed to quarantine or take offline “potentially affected hosts” or to safeguard subscriber PII “until such time as proper and complete remediation could be performed,” it said.

From Oct. 16-19, cybercriminals, or other unauthorized third parties, exploited the Citrix Bleed to gain access to Xfinity’s data, including subscribers’ PII, the complaint said. Xfinity claimed to have “promptly patched and mitigated” its systems, but the data breach occurred 10 days after the public announcement of Citrix Bleed, the complaint said. “In other words, after the Citrix Bleed became public knowledge, Xfinity sat on its hands and failed immediately to fully protect, patch and mitigate its systems for at least 10 days allowing third-party criminals ample time to steal subscribers’ PII,” it said.

Xfinity should have known that when Citrix announced the existence of the vulnerability “and issued remedial guidance and a patchwork protocol,” data thieves would “use that information to reverse-engineer the Citrix Bleed vulnerability and immediately attack vulnerable networks, including Xfinity,” it said. Xfinity failed to correct the vulnerability before cybercriminals could strike, it said.

The cable operator’s “sluggish response” was a violation of plaintiffs’ rights under the Cable Act to protect their PII and “to “take such actions as are necessary to prevent unauthorized access to such information by a person other than the subscriber or cable operator,” the complaint said.

Statutory damages suffered by the plaintiffs under the Cable Act include theft of subscriber PII; costs associated with detection and prevention of identity theft and purchasing credit monitoring and theft protection services; lowered credit scores resulting from credit inquiries following fraudulent activities; costs of time spent addressing consequences of the data breach; impending injury from increased risk of fraud; and diminution in value of PII entrusted to Xfinity, it said.

In addition to $35 billion, the full amount of statutory damages to which they’re entitled, plaintiffs seek punitive damages, attorneys’ costs and legal fees, said the complaint.

Elsewhere, plaintiffs Shandrelle Harper, of Charleston County, South Carolina, and Daniel Frank, of Gwinnett County, Georgia, sued Xfinity and Citrix for failing to protect their PII, said a Thursday class action (docket 2:24-cv-00072) in U.S. District Court for South Carolina in Charleston.

Plaintiffs assert claims of negligence, breach of contract and unjust enrichment. They seek damages and penalties, plus orders requiring defendants to engage third-party security auditors to test their systems and to correct problems they detect. They also seek orders requiring defendants to purge and delete PII not necessary for provision of service and to conduct internal training. In addition, they seek pre- and post-judgment interest, plus legal costs. Comcast and Citrix didn't comment.