Trend Micro was the target of an insider threat that saw about 100,000 of its consumer customers have their account information stolen, sold and used to make scam phone calls.
Less than one percent of Trend Micro’s 12 million consumer customers were compromised when an employee improperly accessed their data and then sold it to an as-yet-unknown third party. The data involved included customer support database that contained names, email addresses, Trend Micro support ticket numbers, and in some instances telephone numbers.
The cybersecurity company said in a statement today the first inkling something was wrong came in August 2019 when some customers complained of receiving scam phone calls from people purportedly from Trend Micro. The information the callers disclosed to their targets during the conversations led the company to believe it had to have come from an insider.
The company said it never calls customers unannounced.
By late October the company was able to fully determine the attack was an inside job. An employee used fraudulent means to gain access to customer support databases, retrieve the data and sell it.
“Our open investigation has confirmed that this was not an external hack, but rather the work of a malicious internal source that engaged in a premeditated infiltration scheme to bypass our sophisticated controls,” the company said.
The employee was found and terminated from their position and the company is working with law enforcement in the on-going investigation.
Trend Micro has disabled the unauthorized account access and does not believe the stolen data included financial or payment card information. However, the information that was taken is more than enough to imperil the affected customers or even the company itself.
““There is immense scope for social engineering attacks on the estimated 70,000 customers. The data will enable hackers to run highly targeted attacks, combining email and phone. With a little research, it will be possible to penetrate Trend Micro customers and move laterally, launching ransomware attacks and CEO attacks. Of course, the data may have been sold to a competitor, or a team running a support services scam, but once out in the market such valuable data tends to be acquired by organized crime syndicates,” said Colin Bastable, CEO Lucy Security.
Warren Poschman, senior solutions architect at comforte AG, said the issue is certainly not limited to Trend Micro and the situation that company is now suffering through should be seen as a learning opportunity.
““The breach at Trend Micro underscores a major, yet unfortunate, disconnect in IT security today where perimeter security, UBA, database encryption, DLP, and fraud/threat detection are deployed without a complimentary deployment of security that ensures the data inside is protected,” he said.
With that noted, Imperva senior vice president and Fellow Terry Ray said the zero trust model has to be extended to corporate employees.
“Taking a Zero Trust approach is a must today, and the insider threat incident at Trend Micro is proof that we cannot trust employees to have the organization and its customers' best interests in mind,” he said.
Ray also pointed out that sometimes it’s easier to spot a malicious insider threat as opposed to a person who is endangering the company unknowingly. Criminal threats tend to leave a clear trail that they are up to no good.
“Anomalous activity at the network level could indicate a compromised insider threat. Likewise, if an employee appears to be dissatisfied or holds a grudge, or if an employee starts to take on more tasks with excessive enthusiasm, this could be an indication of foul play,” he said.
Finally, Ray said, the technology exists that can watch all user behavior on data. It’s at the intersection of users and data, where data breaches occur and as such, going beyond simply watching end points and user behavior is critical in protecting data.