Cybersecurity company sells private user data to scammers, apologises

In an ideal scenario, a cybersecurity company is supposed to 'secure' the data, especially the data that belongs to its customers and make sure that it doesn't end up in wrong hands. But in a shocking incident, opposite of that has taken place where an employee of a cybersecurity company TrendMicro turned rogue and sold private user data to tech support scammers.

TrendMicro, however, acknowledged the highly embarrassing situation and apologised to affected customers in its recent blog post.

"We recently became aware of a security incident that resulted in the unauthorised disclosure of some personal data of an isolated number of customers of our consumer product.  We immediately started investigating the situation and found that this was the result of a malicious insider threat. The suspect was a Trend Micro employee who improperly accessed the data with clear criminal intent," TrendMicro said in its blog post.

READ | Stay alert and watch out for these risky cybersecurity threats in 2020

"Our open investigation has confirmed that this was not an external hack, but rather the work of a malicious internal source that engaged in a premeditated infiltration scheme to bypass our sophisticated controls," the company said. "We hold ourselves to a higher level of accountability and sincerely apologise to all impacted customers for this situation."

In August 2019, TrendMicro learnt that some of its home security customers had been receiving scam calls by scammers impersonating Trend Micro support personnel.

At the end of the almost two-month-long investigation, TrendMicro suspected it was an insider threat.

READ | Google strengthens its fight against malware apps on the Play Store

A TrendMicro employee gained access unauthorised access to customer support database, which contained names, email addresses, Trend Micro support ticket numbers and in some cases, contact numbers of TrendMicro customers. However, the company denies the possibility of the user's financial or credit payment information or business or government customers' data getting compromised.

The company investigation further revealed that its employee sold the private data of customers to third-parties.

"We took swift action to contain the situation, including immediately disabling the unauthorised account access and terminating the employee in question, and we are continuing to work with law enforcement on an ongoing investigation," TrendMicro added.