Trend Micro Employee Sold Consumer Data to ScammersEmployee Has Been Fired; 68,000 Customers Affected
A Trend Micro employee stole and then sold contact information for 68,000 of the company's consumer subscribers, which led to a raft of unsolicited tech support scam calls, the company says.
The employee has been fired and law enforcement has been contacted, the company reports in a statement on its website. The employee accessed the data "with a clear criminal intent," Trend Micro says.
"Our open investigation has confirmed that this was not an external hack, but rather the work of a malicious internal source that engaged in a premeditated infiltration scheme to bypass our sophisticated controls," the company says. "That said, we hold ourselves to a higher level of accountability and sincerely apologize to all impacted customers for this situation."
Trend Micro emphasized that it never makes outbound calls to customers, so those who receive one should hang up.
Contact Details Stolen
The customer support database from which the insider stole information included names, email addresses, customer support tickets and sometimes phone numbers, Trend Micro says. Trend Micro didn't answer a query as to where the employee was based or whether a law enforcement agency has filed criminal charges.
The company has notified victims, which were English-speaking customers who had contacted Trend Micro's consumer technical support, according to a spokeswoman. The countries affected are the U.S., Australia, Bahamas, Canada, Germany, Ireland, New Zealand and the U.K.
The incident is an embarrassment for Trend Micro, a well-known security vendor founded in Japan in the late 1980s. It also highlights a problem that is regarded as one of the most difficult computer security challenges: a well-placed insider who decides to steal information from a company, or the "insider threat."
"We do expect certain types of organizations to have stricter levels of security - security vendors are one," says Brian Honan, a cybersecurity expert and consultant. "But this incident, as other recent incidents against other security vendors such as Avast and NordVPN, highlights that even those organizations with higher levels of security can fall victim to determined attackers." (see NordVPN Says Server Compromised Due to Misconfiguration and Avast: Stolen VPN Credentials Led to CCleaner Attack Redux).
"Credit should be given to Trend Micro for being so open about this issue, and hopefully this openness will continue as more details come to light," Honan says.
Trend Micro says it has filed a notice under Europe's General Data Protection Regulation, which requires organizations to report breaches within 72 hours.
The company says the first clues came in early August, when some consumer customers received calls from individuals impersonating its staff. On Sept. 20, the company issued an advisory on its website, warning of "sophisticated technical support scams targeting our users." A Trend Micro spokeswoman in Australia says the warning was unrelated to the incident.
"The information that the criminals reportedly possessed in these scam calls led us to suspect a coordinated attack," the company says. "Although we immediately launched a thorough investigation, it was not until the end of October 2019 that we were able to definitively conclude that it was an insider threat."
The customer information was sold "to a currently unknown third-party malicious actor."
"Our open investigation has confirmed that this was not an external hack, but rather the work of a malicious internal source that engaged in a premeditated infiltration scheme to bypass our sophisticated controls."
"We took swift action to contain the situation, including immediately disabling the unauthorized account access and terminating the employee in question, and we are continuing to work with law enforcement on an ongoing investigation," Trend Micro says.
In the wake of the incident, the company says it has strengthened its internal security features and processes for accessing its consumer database, "including continuous monitoring and alerting of suspicious activities."
Tech Support Scams: Tough to Stop
The type of information sold to the tech support scammers would be highly valuable. Having verified contact details and knowing that the victim is running a specific product would enable the scammers to create an impression of legitimacy.
Tech support scams often rely on tricking people into thinking something is wrong with their computer. The services to fix the computers are usually overpriced and unneeded. Also, tech supports scammers usually try to get someone to install a remote access program on their machine, giving carte blanche access to all data, which poses additional risk of identity theft.
The scams have proven resilient and difficult to stop, with scam callers operating from call centers in far-flung places. Many prey on the elderly, who often have little knowledge of computers.
Tech support scams cause "enormous consumer injury," says Lois Greisman, associate director, division of marketing practices, at the U.S. Federal Trade Commission, in a video earlier this year. She says the damage is in the "hundreds and hundreds of millions of dollars."
Scammers have used search-engine advertising to ensnare victims. In response, Google said in September 2018 that it would restrict advertisements from third-party technical support outfits and start a verification program for those who want to advertise (see: Google Promises Crackdown on 'Tech Support' Fraudsters).