Citrix Just Suffered a Massive Data Breach


n March 8, Citrix Systems Inc., a global technology provider known for its virtualization solutions, disclosed that the company was investigating unauthorized access to its internal network. The company said in a public note that it came to know of the intrusion on March 6, after being notified by the Federal Bureau of Investigation. News of the breach resulted in the immediate loss of hundreds of millions of dollars in shareholder value. In the wake of the incident, Citrix will undoubtedly face costly investigations, remediation work and legal fees.

Early reports have attributed the Citrix breach to state-affiliated cyber criminals linked to Iran. According to reports, the company was attacked first in December 2018 and again last Monday, with six to ten terabytes of data stolen, including confidential internal business documents. The hackers obtained access through a password spray attack, an automated attack pattern in which every conceivable password is attempted until access is obtained. In addition, the hackers used tailored tools to bypass multi-factor authentication for critical applications and services for further unauthorized access to Citrix’s virtual private network (VPN) and single sign-on (SSO) resources.

A combination of factors contributed to the Citrix breach, which, in our opinion, could have been avoided altogether had the company’s network segmentation, data loss prevention (DLP), password policies, and intrusion prevention and detection (IDS/IPS) systems been more effective. Citrix, as a sophisticated multinational technology group, likely had many of these controls in place, but the company appears to not have properly validated the efficacy of these controls, as many businesses fail to. Companies large and small will continue to suffer similar breaches until they adopt a more proactive stance toward the protection of sensitive information.

Business and technology leaders seeking to protect their company should focus on implementing layered defenses, such as DLP, IDS/IPS, password policies and network segmentation, if these controls are not already in place. More mature enterprises should consider undertaking comprehensive infrastructure testing to assess and improve the security of their perimeter or demilitarized zone (DMZ). Layered defenses such as IDS/IPS systems, firewalls and gateways, should be assessed to ensure complete coverage of enterprise and customer-facing applications. Password policies should be scrutinized and revised as necessary to ensure that they would remain effective against a password spray attack. Additionally, because implementing controls alone is insufficient, DLP systems and rules should be regularly reviewed and tested to ensure their continued efficacy. Enterprise cloud solutions, including services provided by companies such as Microsoft (e.g. Office 365) and Amazon (e.g. Amazon Web Services), are also susceptible to password spray attacks and should be hardened using products such as cloud access security brokers (CASB). Wherever possible, companies should leverage SSO, even for internal applications, in order to simplify and centralize password policies and enforce granular authorization.

Most companies would also benefit from an independent assessment of their information security program’s maturity to identify areas of weakness, prioritize cybersecurity spend and chart a course for improvement where necessary. Independent assessment by an expert may identify gaps internal teams have overlooked.

The breach at Citrix underscores the risk that even the largest enterprises face in the cybersecurity domain. Companies large and small should use this breach as a reminder that cybersecurity is not a one-time effort, but rather a continual business risk factor and area of focus, which must be prioritized at the technical, management and board-level.

This communication, which we believe may be of interest to clients and friends of the company, is for general information only. It is not a full analysis of the matters presented and should not be relied upon as legal advice.

If you have any questions or comments regarding the matters covered in this publication, please contact us at

About Swapnil Deshmukh

Swapnil Deshmukh is CTO and co-founder of Certus Cybersecurity Solutions LLC, based in the firm’s San Francisco Bay Area office. A thought leader and technical expert with extensive experience in information security, Swapnil leads consulting delivery for Certus clients worldwide, partnering with executives to implement and enhance layered defenses and effective security processes and policies. Prior to Certus, Swapnil served as a senior director at Visa Inc., where he played a leadership role in enhancing the company’s security architecture and secure software development lifecycle (SSDLC) capability.

About Certus Cybersecurity Solutions LLC

Certus Cybersecurity Solutions LLC provides cybersecurity consulting and services to businesses seeking to safeguard their critical systems and applications from data breach and disruption. With deep expertise in enterprise cybersecurity and a track record of leveraging our experience in combination with cutting-edge technologies, Certus is a trusted partner to companies seeking to proactively build cybersecurity capability.

For more information on how Certus Cybersecurity can help secure your business, please contact us.

US: +1 877 905 0975
UK: +44 20 396 52716
Germany: +49 711 4906 6996

Leave a Reply

Your email address will not be published. Required fields are marked *

You May Also Like