Trend Micro said that a rogue employee sold the data of 68,000 customers to a malicious third party, who then used that data to target customers with scam calls.
The employee, who gained unauthorized access to a customer-support database, has since been terminated. Trend Micro said that the security incident impacted less than 1 percent of its 12 million customers; a company spokesperson specified that this number is approximately 68,000 in a comment to Threatpost.
“The system accessed was our consumer database,” the spokesperson told Threatpost. “We have increased our internal security features and processes with regards to accessing the consumer database including continuous monitoring and alerting of suspicious activities.”
The employee had accessed a database that contained customer names, email addresses, Trend Micro support ticket numbers, and in some instances telephone numbers.
However, “there are no indications that any other information such as financial or credit payment information was involved, or that any data from our business or government customers was improperly accessed,” Trend Micro said in a Tuesday post.
The company became aware of the incident in early August 2019, when some security customers reported receiving scam calls by criminals who were purporting to be Trend Micro support employees. The company launched an investigation and in October concluded that the incident had stemmed from an insider threat.
The Trend Micro spokesperson told Threatpost that because of the ongoing open investigation, it cannot comment about specifics regarding the third party who bought the data, other than to call it a “currently-unknown third-party malicious actor.”
Security experts like Colin Bastable, CEO of Lucy Security, speculate that such a database would be appealing for many, such as a support services scam company, or even a competitor.
“The data will enable hackers to run highly targeted attacks, combining email and phone,” he said. “With a little research, it will be possible to penetrate Trend Micro customers and move laterally, launching ransomware attacks and CEO attacks (also known as business email compromise attacks). Of course, the data may have been sold to a competitor, or a team running a support services scam, but once out in the market such valuable data tends to be acquired by organized crime syndicates.”
Trend Micro has since notified all potentially impacted customers – but continues to investigate as well as increase its internal security measures.
Insider threats continue to plague companies. In fact, according to the Verizon Data Breach Investigations Report from this year, “privilege misuse and error by insiders” account for 30 percent of breaches.
In May, for instance, a report outlined how Snap employees were abusing their access to private user data – which includes location data, saved Snaps and phone numbers. And a report in 2018 found that Facebook had fired an employee who allegedly abused their access to data to stalk women.
Security experts for their part urge impacted Trend Micro customers to be on the lookout for unsolicited calls or emails claiming to be from the security firm in the coming months.
“Trend Micro customers whose information was leaked in this breach are at risk of phishing and scams from criminals posing as Trend Micro staff,” Paul Bischoff, privacy advocate with Comparitech, said in an email. “Customers might receive fake tech support or billing calls intended to trick them into giving up sensitive information such as passwords and credit card numbers, or even remote access to their devices. They could also receive texts from Trend Micro imposters with links that direct them to phishing sites. Trend Micro does not make unannounced calls to its customers. All calls are scheduled in advance, so if you receive an unsolicited call from Trend Micro, hang up and report it to Trend Micro support.”
What are the top mistakes leading to data breaches at modern enterprises? Find out: Join expert from SpyCloud and Threatpost senior editor Tara Seals on our upcoming free Threatpost webinar, “Trends in Fortune 1000 Breach Exposure.” Click here to register.