Updated: The cybersecurity firm says the attack came from within, leading to targeted scams.
Popular security tech company Trend Micro has been the victim of an insider data breach – the company said approximately 70,000 customers have been impacted, “fewer than one percent” of Trend Micro’s 12 million customer base. Trend Micro said the employee allegedly “improperly accessed the data with a clear criminal intent” and that it disabled the employee’s account and fired him/her.
Warren Poschman, senior solutions architect at comforte AG, explains:
“The breach at Trend Micro underscores a major, yet unfortunate, disconnect in IT security today where perimeter security, UBA, database encryption, DLP, and fraud/threat detection are deployed without a complimentary deployment of security that ensures the data inside is protected. The belief that “if I build a high enough wall they can’t get in and my data is safe inside” is a fallacy that has been exposed repeatedly in 2019. Instead of just building virtual Maginot lines around data, organizations need to adopt a data-centric security model to protect the data inside from either external or internal threats – in other words, protect what matters most inside as well as you do to protect the outside perimeter. Data-centric security technologies such as tokenization protect data at rest, in motion, and in use and protect enterprise-wide. In the Trend Micro case, this could have stopped the rogue employee because although they may have had elevated credentials to the customer service database, they would have found that the database contained useless tokens instead of salable data.”
Colin Bastable, CEO of security awareness and training company Lucy Security, notes there is cause for worry:
“There is immense scope for social engineering attacks on the estimated 70,000 customers. The data will enable hackers to run highly targeted attacks, combining email and phone. With a little research, it will be possible to penetrate Trend Micro customers and move laterally, launching ransomware attacks and CEO attacks (also known as Business Email Compromise attacks). Of course, the data may have been sold to a competitor, or a team running a support services scam, but once out in the market such valuable data tends to be acquired by organized crime syndicates.”
Paul Bischoff, privacy advocate with Comparitech has advice for potential victims:
“Trend Micro customers whose information was leaked in this breach are at risk of phishing and scams from criminals posing as Trend Micro staff. Customers might receive fake tech support or billing calls intended to trick them into giving up sensitive information such as passwords and credit card numbers, or even remote access to their devices. They could also receive texts from Trend Micro imposters with links that direct them to phishing sites. Trend Micro does not make unannounced calls to its customers. All calls are scheduled in advance, so if you receive an unsolicited call from Trend Micro, hang up and report it to Trend Micro support.”
Terry Ray, SVP and Imperva Fellow:
Taking a Zero Trust approach is a must today, and the insider threat incident at Trend Micro is proof that we cannot trust employees to have the organization and its customers’ best interests in mind. Today, we have more users and more data than ever, spanning across different geographies, business units, and environment- cloud and on-prem. It’s naïve and dangerous to assume that there’s a trusted internal network because you’re ignoring or, in this case, trusting insider threats, which are becoming more prevalent whether they are intentional or unintentional. Vendors who support Zero Trust continuously assess “trust” through a risk-based analysis of all sources of data available. They are in a better position to deliver integrated services and security functions because they obtain visibility into the interaction between users, applications, and data, which allow their customers to consolidate data controls.
Detecting malicious employees is easier than negligent employees that don’t know they’re doing harm, because their behavior is more obvious. Anomalous activity at the network level could indicate a compromised insider threat. Likewise, if an employee appears to be dissatisfied or holds a grudge, or if an employee starts to take on more tasks with excessive enthusiasm, this could be an indication of foul play. Even if an employee is not outwardly showing signs of malicious intent, data security technology exists that can watch all user behavior on data. It’s at the intersection of users and data, where data breaches occur and as such, going beyond simply watching end points and user behavior is critical in protecting data. Today, successful identification of all three insider threats, compromised, negligent and malicious, requires database activity monitoring or collection as well as, modern machine learning that can sift through the collected data to find actionable security incidents.