• Skip to primary navigation
  • Skip to main content
site logo
  • About
    • Approach
    • Partnerships
    • Mission
    • Leadership
    • Awards
    • Arraya Cares
  • Solutions
    • Solutions

    • Hybrid Infrastructure
      • Hyperconverged
      • Infrastructure as a Service
      • Servers, Storage, and Virtualization
      • Data Protection
      • Disaster Recovery & Business Continuity
    • Apps & Data
      • AI
      • Automation
      • Customizations
      • Visualizations & Integrations
      • Migrations
    • Network
      • Enterprise Networks
      • Wireless Connectivity
      • Cloud Networking Solutions
      • IoT
    • Cybersecurity
      • Endpoint Security
      • Network Security
      • Cloud Security
      • Application Security
    • Modern Workplace
      • Microsoft Licensing
      • Productivity & Collaboration
      • Modern Endpoint Deployment & Management
      • Microsoft Compliance & Risk
      • Backup
      • Cloud
  • Services
    • Services

    • Managed Services
      • Service Desk
      • Outsourced IT
      • Managed Security
      • Managed NOC
      • Arraya Adaptive Management for Microsoft Technologies
      • ADEPT: Arraya's White Label Program
    • Advisory Services
      • Assessments
      • Strategy
      • vCTO
      • vCISO
      • Enterprise Architecture
    • Staffing
      • Infrastructure Engineering
      • Security & Compliance
      • Application & Software
    • Professional Services
      • Project Management 
      • Systems Integration 
      • Mergers & Acquisitions
      • Knowledge & Skills Transfer 
  • Industries
    • Education
    • Finance
    • Healthcare
    • Legal
    • Manufacturing
    • Software and Services
  • Insights
    • News
    • Blog
    • Events
    • Videos
    • Case studies
  • Careers
  • CSP Login
search icon
Contact Us

Citrix, Equifax, and How to Data Breach-Proof Your Business

Last week, Citrix became the latest victim of a high-profile data breach while Equifax, a perennial cyber security punching bag, was raked over the coals by Congress. Both Citrix data breach equifax data breachstories represent valuable learning opportunities for organizations seeking to avoid a similar fate. Let’s review each story, then we’ll share some insights into how companies can protect themselves.

Passwords exploited to trigger Citrix data breach

In a recent blog post, Citrix CSIO Stan Black announced the global software provider was investigating unauthorized access to its organizational network. Black’s brief post stuck to the basics of the incident. It detailed how, earlier this month, the FBI alerted Citrix that international cyber criminals had breached the company’s defenses. Later, the post mentioned that attackers utilized a technique called password-spraying. Basically, they attempted to access a large number of accounts using a small list of common passwords. Once inside, they used this initial foothold to gain greater access to Citrix’s network. Also in his post, Black confirmed that, while the company’s investigation is ongoing, it appears attackers accessed and downloaded business documents.

Industry news outlets and observers shared a few more details. For example, Resecurity, a security firm that claims to have alerted Citrix of the situation back in December, identified the attackers as the Iranian-backed IRIDIUM, which has made a name for itself targeting governments, utilities, and technology companies. Additionally, the firm believes attackers accessed at least 6TB of sensitive internal Citrix data, including emails. For its part, Citrix did stress there’s no sign the breach touched any products or services.

Resecurity also theorized the attack was a decade in the making. According to the firm, IRIDIUM hackers may have been lurking inside Citrix’s network for nearly ten years. They also believe the actual theft took place over two months, timed to coincide with the holiday season.

Equifax called out by Congress for its data breach

Since suffering a data breach dubbed “the biggest failure to safeguard public data to date” in 2017, Equifax has been locked in the angry glare of the American public and media. Most recently, it was the Senate Permanent Subcommittee on Investigations’ turn to tee off on the credit bureau. In a rare display of bipartisanship, the subcommittee tore into Equifax via a recently released report.

Among the report’s most cringe-worthy moments? A critique leveled against Equifax for allowing a “broad culture of complacency toward cyber security preparedness” to take root. No business wants that reputation in 2019. Not even one that consumers are powerless to disassociate themselves from. The subcommittee’s report comes at a time when demand for a national cyber security and data privacy standard is on the rise. Although, it remains to be seen exactly what, if anything, will come of this increased call for data regulation.

4 security best practices Citrix & Equifax may have overlooked

No organization wants to end up the victim of a data breach, but in at least one way, Citrix and Equifax can count themselves lucky. Why? Both of these organizations are large enough to take these incidents on the chin and survive. Not all businesses can say the same. In fact, research from the National Cyber Security Alliance indicates 60% of SMBs burned by cyber criminals go out of business within six months. Given the existential threat posed by data breaches, we wanted to highlight a few areas where Citrix and Equifax fell short in order to help others avoid doing the same:

  • Two-Factor Authentication (2FA) – Techniques like password-spraying are only effective as standalone methods of attack if 2FA isn’t in place. Best practice is to roll out 2FA for all users, at every business level. This ensures hackers are going to have to work much harder to breach an organization’s perimeter defenses.
  • Patching schedules – When IT gets busy, patching schedules are an easy thing to set aside. Easy, but not safe. The risks of doing so are demonstrated by Equifax’s incident and were put on blast in Congress’s report. If onsite IT doesn’t have the bandwidth to set and stick to a patching schedule, it’s important to seek out a partner who can help.
  • Password policies – Common passwords, like those found on the list likely employed by Citrix’s password-spraying attackers, should never be allowed. Policies governing the complexity and lifespan of passwords may not be popular. However, pushing users to leverage stronger codes is an easy way to improve organizational security.
  • Security culture – Congress publicly decried Equifax’s complacent cyber security culture. Inevitably, security culture starts at the top. Executive leaders should participate in the security process and, whenever possible, demonstrate public support for password policies, 2FA, etc.

Next Steps: Putting lessons learned from Citrix & Equifax into action

Want to learn more about how to keep your organization’s data out of the wrong hands and its name out of the (negative) headlines? Arraya Solutions Cyber Security team can help provide the vision as well as the hands-on expertise needed to do both. Strike up a conversation with them today by visiting https://www.arrayasolutions.com//contact-us/.

Also, you can leave us a comment on this or any of our blogs through social media. Arraya can be found on LinkedIn, Twitter, and Facebook. Remember to follow us to stay up to date on our industry insights and unique IT learning opportunities.

Arraya Insights
Back to Top
Arraya Solutions logo

We combine technological expertise and personal service to educate and empower our customers to solve their individual IT challenges.

518 Township Line Road
Suite 250, Blue Bell, PA 19422

p: (866) 229-6234     f: (610) 684-8655
e: info@arrayasolutions.com

  • Careers
  • Privacy Policy
  • Contact Us

© 2025 Arraya Solutions. All rights reserved.

Facebook Twitter YouTube LinkedIn
Manage Cookie Consent
We use cookies to enhance your experience. By selecting “Accept,” you agree to our cookie policy.
Functional Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
Manage options Manage services Manage {vendor_count} vendors Read more about these purposes
View preferences
{title} {title} {title}