Citrix employees impacted by a data breach that resulted in the theft of their data have secured a $2.275 million settlement.
The settlement, first agreed in June 2020, has now met with the approval of Judge Ron Altman, as reported by Bloomberg Law.
This week, the judge issued preliminary approval for the settlement figure in the US District Court for the Southern District of Florida.
The class-action lawsuit, involving roughly 24,300 members, will be settled in return for Citrix providing the $2.275 million fund, usable for credit monitoring services, ID theft recovery, and up to $15,000 in reimbursement for expenses and loss per claimant.
Citrix disclosed the data breach in March 2019 after being alerted by the FBI of a possible network intrusion. Cyberattackers had infiltrated the software giant's internal servers for a period of roughly five months between 2018 and 2019.
The company said that the threat actors had "intermittent access" to corporate resources and that that password spraying was the likely method in which access to Citrix systems was obtained.
Password spraying takes advantage of weak credentials and is a common method to compromise both corporate and personal accounts.
Citrix employees were embroiled in the security incident. In a letter (.PDF) sent to those thought to be impacted -- including staff, contractors, interns, job candidates, beneficiaries, and dependents -- the company said their personal data may have been stolen.
This may have included PII, Social Security numbers, passport numbers, limited health insurance data, driver's licenses, and financial account information such as payment card numbers.
A hearing over Zoom is set for June 10, 2021, where the settlement may be finalized.
ZDNet has reached out to Citrix and will update when we hear back.
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0