Trend Micro insider threat steals, sells customer data

Trend Micro this week revealed an employee stole personal data from its customers and sold the data to an unknown third party.

On Nov. 5, the cybersecurity vendor disclosed that an insider threat had accessed a customer support database that included names, email addresses, support ticket numbers and in some cases phone numbers, and sold this data to a "currently unknown third-party malicious actor."

The rogue employee accessed the data of "less than 1% of Trend Micro's 12 million consumer customers," and did so as part of a "premeditated infiltration scheme," according to Trend Micro's blog post on the incident (the company later disclosed the estimated number of affected consumer customers was 68,000).

Trend Micro first suspected wrongdoing in early August when it learned some of its consumer customers had been receiving scam calls from individuals impersonating company support staff.

A Trend Micro spokesperson confirmed to SearchSecurity over email that the company was alerted to the issue by customer complaints, though they added "Frankly, security vendors like Trend Micro receive calls every week of people being scammed/attempted to be scammed. So to receive such calls is not new. Due to escalation of these calls we quickly opened a full investigation."

Though the company first suspected wrongdoing in early August, it was not until the end of October that they were able to definitively conclude it was an insider threat who accessed the customer support data. "The malicious insider was able to obfuscate their actions very well and as such the investigation took some time. Therefore, we could not confirm the source of the leak until we were able to deploy some additional forensic tools," the spokesperson said.

According to Trend Micro's disclosure, the tech support scam targeted only English-speaking customers.  "We took swift action to contain the situation, including immediately disabling the unauthorized account access and terminating the employee in question, and we are continuing to work with law enforcement on an ongoing investigation," the blog post said.

SearchSecurity also asked Trend Micro whether any customers were successfully scammed or if any identifying information had been obtained regarding the third-party threat actor. To both questions, the company spokesperson said "As this is an open investigation, we cannot comment on these specifics."

This is second time in a little over a year that Trend Micro customer data has been misused by someone associated with the company. Last year, Trend Micro apps were removed from the Mac App Store for inappropriately collecting users' browser data.

Imperva senior vice president and fellow Terry Ray was not surprised that the data taken was customer PII.

What the employee did take was probably the best thing they could take for them to make money.

"What the employee did take was probably the best thing they could take for them to make money," Ray said. "Meaning, what can I sell? What's the easiest thing for me to sell and resell if I need to? That's going to be things like employee names, phone numbers, addresses that I can sell to spammers, which is exactly what you see."

Flashpoint principal advisor Eric Lackey, who published a blog post on insider threats in July, recommended that any organization -- especially security vendors -- evaluate its most critical and sensitive areas within the organization. But that can be challenging for security vendors.

"They need to control risk around those particular areas to a much greater degree than you would a position or access to less confidential information or less critical areas within the organization," he said. "That said, with a security vendor, a majority of the organization is going to have that type of access."

Lackey also said security vendors face additional reputational risk when it comes to insider threat incidents. "For instance, if you look at Trend Micro's release of the incident, down at the bottom of the page, it gives an article they released five years ago on dealing with insider threats. So something like that is extremely embarrassing for them," he said.

Ray said that based on his 16 years fighting insider threats at Imperva, the best approach is to watch the data. In the Trend Micro case, monitoring data access could have potentially alerted Trend Micro that the employee was accessing or downloading much more data than they normally do in their position.

"Let's say 'Terry' accesses 100 million records today. Terry normally accesses only 5 records. Why 100 million? Terry's peers don't access 100 million records," Ray said. "There would have been flags quickly. They would have found out about this very quickly."