Security firm Trend Micro recently announced that a “malicious insider” sold personal information of approximately 68,000 of its customers to third parties after improperly accessing data stored in its systems with “clear criminal intent”.
The massive breach of its customers’ personal data was announced by Trend Micro on Tuesday in a blog post in which the cyber security firm said that one of its employees “used fraudulent means to gain access to a customer support database that contained names, email addresses, Trend Micro support ticket numbers, and in some instances telephone numbers”.
The firm said that it started receiving information in early August about some customers receiving scam calls by criminals impersonating Trend Micro support personnel. After a couple of months of investigating the issue, Trend Micro concluded that the spam campaign was a result of a malicious employee accessing customer data without authorisation and sharing the data with third parties.
Hackers used stolen data to launch an impersonation campaign targeting customers
“A Trend Micro employee used fraudulent means to gain access to a customer support database that contained names, email addresses, Trend Micro support ticket numbers, and in some instances telephone numbers. There are no indications that any other information such as financial or credit payment information was involved, or that any data from our business or government customers was improperly accessed.
“Our investigation revealed that this employee sold the stolen information to a currently unknown third-party malicious actor. We took swift action to contain the situation, including immediately disabling the unauthorized account access and terminating the employee in question, and we are continuing to work with law enforcement on an ongoing investigation,” the firm said.
The firm also warned its customers that it never makes unexpected calls to customers and support calls are scheduled in advance and therefore, affected customers whose data is in possession of malicious actors should not entertain calls from persons impersonating Trend Micro employees.
“We would like to reassure our business and government customers that our investigations have shown no indication that the criminal has accessed any enterprise customer data. While every maliciously accessed data set is one too many, our investigation has shown that this security incident affects less than 1% of Trend Micro’s 12 million consumer customers.
“Our investigation further shows that the criminals were only targeting English-speaking customers, and we have only seen data accessed in predominantly English-speaking countries,” it added.
A data-centric security model could have prevented the Trend Micro employee from accessing customer data
“The breach at Trend Micro underscores a major, yet unfortunate, disconnect in IT security today where perimeter security, UBA, database encryption, DLP, and fraud/threat detection are deployed without a complementary deployment of security that ensures the data inside is protected,” said Warren Poschman, senior solutions architect at comforte AG.
“Instead of just building virtual Maginot lines around data, organisations need to adopt a data-centric security model to protect the data inside from either external or internal threats – in other words, protect what matters most inside as well as you do to protect the outside perimeter,” he added.
“Insider threat covers more than just the nefarious insider, such as this particular case, but includes the unintentional insider threat and insider threat from “trusted” third parties (suppliers, contractors etc.). As organisations become better at protecting their data and assets which is within their control, options for gaining access to that data are turning to insiders,” said Peter Draper, technical director, EMEA at Gurucul.
“The report states that the user in question “improperly accessed the data”. That being the case, if a modern behaviour analytics solution, such as GRA, had been deployed this activity would have been highlighted before the user had the chance to extract the data and sell it. This would have, not only stopped the data exfiltration, but would have also stopped the Trend Micro users getting the scam calls. Reputation is all!.”