Cyber-security company Trend Micro says the personal data of thousands of its customers has been exposed by a rogue member of staff.
The company says an employee sold information from its customer-support database, including names and phone numbers, to a third party.
It became suspicious after customers started receiving phone calls from scammers posing as Trend Micro staff.
The company says it has contacted those whose details were exposed.
Trend Micro said it believed approximately 70,000 of its 12 million customers had been affected.
“It’s every security firm’s nightmare for something like this to occur,” cyber-expert and writer Graham Cluley told BBC News.
“You can have all the security in place to prevent external hackers getting in but that doesn’t stop internal staff from taking data and using it for nefarious purposes,” he said.
“If a cyber-security firm like Trend Micro can fall victim to a security breach, it can happen to any company.”
Trend Micro provides cyber-security and anti-virus tools to consumers, businesses and organizations around the world.
In August 2019, it received reports many users of its home security software had been receiving scam phone calls.
The scammers knew so much information about their targets that Trend Micro suspected its customer support database had been breached.
It later found out its systems had not been attacked over the internet and it was instead facing a “malicious insider threat”.
“The suspect was a Trend Micro employee who improperly accessed the data with a clear criminal intent,” the company said in a blog post .
“Our investigation revealed that this employee sold the stolen information to a currently unknown third-party malicious actor.”
The company said it was working with police and the employee in question had been fired.
It said its customer-support staff would never call people “unexpectedly”.
“If a support call is to be made, it will be scheduled in advance. If you receive an unexpected phone call claiming to be from Trend Micro, hang up and report the incident to Trend Micro support using our official contact details below,” the company said.
Liability A UK ruling that suggests companies can be held responsible if their own staff leaks data.
It can be extremely hard on a company’s bottom line and public perception when isolated data breaches lead to litigation and public scrutiny of the company’s policies and procedures for data protection. To avoid being on the receiving end of unwanted litigation and publicity, shrink the window of opportunity for your employees to act maliciously.
Organizations can employ several mechanisms to protect against these and other threats: 1) removing local administrative access so that only enterprise administrators can access sensitive data; and 2) deploying software that locks any unauthorized applications from being introduced to the system; and 3) requiring all administrative actions to be logged; and 4) implementing role-based access controls. Keep in mind that company data and IT administrators and related independent contractors have the most access to data and computer systems, and as a result, represent the most significant threat to data security.
Customized Computer Services, Inc. has served the DFW for over 30 years. we have help many of our clients et up protocol system to help companies protect their data from outside threats as well as internal threats.