We have concluded our investigation into our previously disclosed security incident. I’d like to share an overview of our work, our major findings, and some of the steps we are taking to improve our security moving forward.
First, I would like to thank our customers, partners and employees for their patience throughout this process. While we endeavored to move with judicious speed, we took the time and care necessary to ensure that the cyber criminals were expelled from our systems, and to gain a thorough understanding of the impact and contributing factors of the incident.
Second, I would like to thank the board’s cybersecurity committee, established at the beginning of our investigation and chaired by Moira Kilcoyne, for its direction and oversight throughout the investigation.
And third, the FBI for their support over the course of our investigation. We have updated the FBI on our findings.
Since discovering this incident, our internal teams have worked with leading cyber breach response experts, including FireEye Mandiant, to uncover the means of attack used by the cyber criminals, determine the scope of intrusion, monitor our network, and plan long-term security enhancements.
What We Found
With the conclusion of the investigation, we confirmed that the cyber criminals gained access to our internal network through password spraying, a technique that exploits weak passwords. Once in our network, the cyber criminals intermittently accessed and, over a limited number of days between October 13, 2018, and March 8, 2019, principally stole business documents and files from a company shared network drive that has been used to store current and historical business documents, as well as a drive associated with a web-based tool used in our consulting practice.
The cyber criminals also may have accessed the individual virtual drives and company email accounts of a very limited number of compromised users and launched without further exploitation a limited number of internal applications.
Importantly, we found no compromise or exfiltration beyond what has been previously disclosed. The cyber criminals have been expelled from our systems. There is no indication that the security of any Citrix product or customer cloud service was impacted. Finally, we determined that the cyber criminals did not discover or exploit any vulnerabilities in our products or services to gain entry.
As part of an extensive e-discovery process, experts are carefully reviewing documents and files that may have been accessed or were stolen in this incident. We have notified, or shortly will notify, the limited number of customers who may need to consider additional protective steps.
What We Did
Over the past several months, we have taken significant actions to safeguard our systems and improve protocols. We performed a global password reset, improved our internal password management, and strengthened password protocols. Further, we improved our logging at the firewall, increased our data exfiltration monitoring capabilities, and eliminated internal access to non-essential web-based services along with disabling non-essential data transfer pathways.
We also deployed FireEye’s endpoint agent technology across our systems to provide an additional layer of defense. These protective agents perform continuous monitoring across the enterprise permitting us to quickly contain any detected issues.
Moving Forward
With the investigation complete, I am focused on fostering a security culture at Citrix that prioritizes prevention and also ensures that we detect and respond effectively to any future incidents. The improvements to our security culture will extend to the highest levels of our company.
To strengthen our governance and ensure security policies and practices are best in class and remain so over time, the cybersecurity committee, chaired by director Moira Kilcoyne, will become a permanent part of our governance model. Moira is joined on this committee by Bob Calderoni, chairman of the board, and Robert Daleo, chairman of the audit committee. The cybersecurity committee will work closely with Tony Gomes, EVP and General Counsel, who will chair a cross-functional management committee charged with oversight and monitoring of cyber risks.
While we have done much already to improve our security posture and evolve our culture, working with Mandiant and other outside security experts, we have developed and will execute against plans to keep our products, corporate network and vigilance tuned to the threats posed by cyber criminals.
Finally, I want to express my sincerest appreciation to the employees and customers that have been impacted by this incident for their understanding and support. Throughout the investigation, we have endeavored to be as transparent as possible with key findings and lessons learned, but we recognize that is not enough. And while we have made meaningful strides towards improving our cyber security defenses, we live in a dynamic threat environment that requires a culture of continuous improvement. I want to assure you that we are fully committed to continuing to foster such a culture, and we are doing everything possible to ensure this type of incident cannot happen again.
