Trend Micro insider breach exposes need for data-centric protection

A breach of consumer account data at security supplier Trend Micro, that led to a small number of users falling victim to attempts to defraud them, could have been easily prevented had the firm paid more attention to its internal security controls.

The breach was the result of a malicious insider threat from a disgruntled employee who “improperly accessed the data with a clear criminal intent”, according to Trend Micro, which disclosed the incident on 5 November 2019.

The firm first became aware that something was amiss in August 2019 when it found out that some consumer customers were receiving scam calls by criminals impersonating its own support staff. The information disclosed by the fraudsters suggested a coordinated attack, but it took two months to definitively prove the incident was the result of insider action.

“A Trend Micro employee used fraudulent means to gain access to a customer support database that contained names, email addresses, Trend Micro support ticket numbers, and in some instances telephone numbers” said the firm.

“There are no indications that any other information such as financial or credit payment information was involved, or that any data from our business or government customers was improperly accessed.”

Trend Micro has since acted to contain the breach, disabling the unauthorised account access from an unknown third-party actor to whom the information was sold, and firing the culprit. An investigation in cooperation with law enforcement is ongoing. It reiterated that its support teams would never make unsolicited phone calls to consumer customers.

The breach makes Trend Micro the latest in a string of consumer security companies to fall victim to security breaches, proving that even the industry’s brightest minds are not infallible. These include Avast, which was hit by an attack through its virtual private network (VPN), and NordVPN, which was exposed by an error at an external datacentre provider.

Warren Poschman, senior solutions architect at comforte AG, said that coming as the result of insider action, the Trend Micro breach highlighted a “major, yet unfortunate disconnect” in security.

“Perimeter security, UBA [user behaviour analytics], database encryption, DLP [data loss prevention], and fraud/threat detection are deployed without a complementary deployment of security that ensures the data inside is protected,” said Poschman.

“The belief that ‘if I build a high enough wall they can’t get in and my data is safe inside’ is a fallacy that has been exposed repeatedly in 2019,” he said. “Instead of just building virtual Maginot lines around data, organisations need to adopt a data-centric security model to protect the data inside from either external or internal threats – in other words, protect what matters most inside as well as you do to protect the outside perimeter.

“Data-centric security technologies such as tokenisation protect data at rest, in motion, and in use and protect enterprise-wide. In the Trend Micro case, this could have stopped the rogue employee because although they may have had elevated credentials to the customer service database, they would have found that the database contained useless tokens instead of saleable data.”

Peter Draper, EMEA technical director at Gurucul, pointed out that the reputational damage for Trend Micro made the breach a potential nightmare scenario. “Security firms are reliant on their reputation for customers to retain their trust in the organisation, and any product or service it sells. For a breach to impact their users is huge,” he said. “However, this is an area of risk that is becoming high on any organisation’s priority list, insider threat – or at least it should be.”

“Insider threat covers more than just the nefarious insider, such as this particular case, but includes the unintentional insider threat and insider threat from trusted third parties,” said Draper. “As organisations become better at protecting their data and assets is within their control, options for gaining access to that data are turning to insiders. This particular case may have been a single user selling the data for personal gain or it could have been that external bad actors could have been in play and may have solicited the sale of the data.”

He said that if it was indeed the case that the insider improperly accessed the data, a modern behavioural analytics solution could well have highlighted their activity before they had a chance to exfiltrate the user data.