Export Compliance Daily is a Warren News publication.
Flights From Kuala Lumpur

Xfinity Customers Claim Accounts Were Fraudulently Charged After Citrix Data Breach

Two negligence class actions were filed in U.S. District Court for Eastern Pennsylvania Wednesday involving the Citrix Systems October data breach that compromised the personally identifiable information (PII) of over 35 million Comcast Xfinity customers. One names Citrix only; the second names Citrix and Comcast.

Sign up for a free preview to unlock the rest of this article

Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.

In the complaint naming only Citrix, plaintiffs Michelle Birnie, Key Largo, Florida; Charolet Fail, Sebring, Florida; and Lauren Wilkinson, Reading, Pennsylvania, cited Citrix’s failure to “adequately test and monitor its products for security vulnerabilities, failing to identify the security vulnerabilities earlier, and failing to adequately and promptly notify its customers of the security vulnerabilities," said the complaint (docket 2:24-cv-01201)).

Birnie received a letter from Xfinity Jan. 4 informing her that her PII was compromised, and since Dec. 19, Birnie has experienced identity theft, the complaint said. An unauthorized person attempted to buy tickets for flights from Kuala Lumpur for $432 on three booking websites using her debit card information, the complaint said. While she was on the phone with her bank trying to resolve that, she received “numerous login attempt notifications for her Amazon account about every two minutes,” it said. As a result of the hacking attempts, Birnie had to change all her passwords, it said.

Fail received her notice from Xfinity Jan. 3. She has experienced identity theft since November, including “over a dozen” unauthorized charges made against her checking account, the complaint said. Her bank didn't flag the charges “because they appeared as Xfinity charges,” said the complaint. Fail was able to get all the charges reversed except for two in the amounts of $154.73 and $277.22, but she's responsible for 15 overdraft charges for $30 each totaling $450, it said.

The fraudulent charges also affected Fail’s automatic payments, including to her car insurance provider and cellphone carrier, the complaint said. She had to contact every company with which she has automatic withdrawal set up “to explain that she has been a victim of identity theft and to stop the withdrawals,” it said. She also had to make sure her Social Security checks weren't compromised and to ensure her checks were deposited, it said.

Wilkinson, who received notice of the breach when she logged into her account Jan. 4, has spent “time and effort” monitoring her financial and online accounts “to detect and prevent any fraudulent or suspicious activity,” it said.

The October data breach isn’t the first time Citrix’s “conduct and omissions have compromised sensitive and personal identifying information,” said the complaint. In 2019, Citrix had two other security incidents that compromised the PII of “thousands” of individuals, and that action, In re: Citrix Data Breach Litigation, settled in 2021, it said. As part of the settlement, Citrix agreed to provide monetary compensation to victims and to implement remedial measures: enhanced cybersecurity training and awareness programs; enhanced data security policies and security measures; restriction of access to personal information; and enhanced monitoring and response capability, it said.

As a cloud computing company, Citrix “is well aware of the risks associated with failing to adequately protect against security vulnerabilities,” said the complaint. The suit cited Citrix’s 2021 annual report in which the company acknowledged that “service vulnerabilities could result in loss of and/or unauthorized access to confidential information.”

In the other complaint naming both Citrix and Comcast, Laura Wiley of Park Ridge, Illinois, alleges the defendants failed to protect her and class members’ PII, with Comcast failing “to even encrypt or redact this highly sensitive information,” and Citrix failing to develop its software to protect against hacking vulnerabilities, said the complaint (docket 2:24-cv-01198).

Citrix announced Oct. 10 a vulnerability in one of its products used by Xfinity and “thousands” of companies worldwide; at the same time it announced a patch to fix the vulnerability, dubbed the “Citrix Bleed,” said Comcast’s data breach notice to its customers. But Comcast later discovered that “prior to mitigation,” Oct. 16-Oct. 19, there was “unauthorized access to some of our internal systems that we concluded was a result of this vulnerability,” it said.

Comcast determined Nov. 16 “that information was likely acquired,” and on Dec. 6, it concluded the leaked information included “usernames and hashed passwords,” and for some customers, additional information including names, contact information, last four digits of Social Security numbers, birthrates, and secret questions and answers, the complaint said.

The data breach was a direct result of the defendants’ failure to implement adequate and reasonable cybersecurity procedures and protocols that would protect Comcast customers’ PII and prevent a “foreseeable” cyberattack, it said.

Wiley, a Comcast customer since 2009, has experienced “fraudulent and/or suspicious conduct” involving her PII that was compromised in the data breach, the complaint said. It noted an increase in spam or phishing calls, emails and text messages to the accounts and contact numbers she provided Comcast “in exchange for its services.” Wiley spent about five hours responding to the breach, including time spent contacting Comcast about the breach, and monitoring her accounts and credit for “suspicious activity,” it said.

The defendants “failed to properly implement basic data-security and cybersecurity practices,” said the complaint, and Comcast “failed to audit, monitor, or ensure the integrity of its vendor’s data-security and cybersecurity practices.” The defendants’ failure to employ “reasonable and appropriate measures” to protect against unauthorized access to Wiley’s and class members’ PII violates the FTC Act, it said.

The plaintiffs in the Birnie case assert claims of negligence and negligence per se and violations of Florida’s Unfair and Deceptive Trade Practices Act. Wiley asserts claims of negligence and negligence per se; breach of implied contract vs. Comcast; breach of third-party beneficiary contract vs. Citrix; and unjust enrichment. In both actions, plaintiffs seek relief enjoining the defendants from engaging in the wrongful conduct described; an order requiring them to implement and maintain a comprehensive information security program; and an award of actual, nominal and consequential damages; prejudgment interest; and attorneys’ fees and costs. Comcast and Citrix didn't comment Thursday.

.