A former employee of Trend Micro stole the personal data of some customers with a “clear criminal intent” and then sold it to a third party earlier this year, the cybersecurity company disclosed Tuesday.
Trend Micro first caught wind of the unauthorized disclosure when several users of a home security product began receiving unannounced phone calls from people impersonating Trend Micro support staff. The company says such contact is always a scam because its support calls are always scheduled in advance.
After investigating, Trend Micro uncovered that an employee, who has since been fired, had accessed a company customer support database that contained names, email addresses, support ticket numbers and some telephone numbers. It was not immediately clear when the employee first gained access to the database, although consumer data was accessed in August, a Trend Micro spokesperson told CyberScoop. Trend Micro said it disabled the unauthorized account and law enforcement has been notified.
Approximately 70,000 consumer customers were affected by the data theft, a Trend Micro spokesperson told CyberScoop. The spokesperson declined to comment on what the scammers tried to get during the phone calls given the investigation is open.
“Our open investigation has confirmed that this was not an external hack, but rather the work of a malicious internal source that engaged in a premeditated infiltration scheme to bypass our sophisticated controls,” Trend Micro writes. “That said, we hold ourselves to a higher level of accountability and sincerely apologize to all impacted customers for this situation.”
This incident is a reminder that insider threats can plague companies of all kinds, including cybersecurity firms. Just this week insider threat company ObserveIT was acquired by Proofpoint for $225 million, in a move that shows an appetite in the cybersecurity market for monitoring employees and keeping track of user behavior on networks.
Some of the repercussions may still be playing out behind the scenes for Trend Micro — although the company’s investigation into the matter showed the employee did not appear to have stolen financial information or data from Trend Micro business or government customers, the employee sold the stolen personal information to a “third-party malicious actor,” the identity of which is still unknown.