We recently became aware of a security incident that resulted in the unauthorized disclosure of some personal data of an isolated number of customers of our consumer product. We immediately started investigating the situation and found that this was the result of a malicious insider threat. The suspect was a Trend Micro employee who improperly accessed the data with a clear criminal intent.
We immediately began taking the actions necessary to ensure that no additional data could be improperly accessed, and have involved law enforcement.
Our open investigation has confirmed that this was not an external hack, but rather the work of a malicious internal source that engaged in a premeditated infiltration scheme to bypass our sophisticated controls.
That said, we hold ourselves to a higher level of accountability and sincerely apologize to all impacted customers for this situation. Based on the current status of our investigation, we believe that all of the consumers who were potentially affected have already received individual notices from Trend Micro, but we will continue to investigate and provide further notices in the event that any further affected customers are identified.
In early August 2019, Trend Micro became aware that some of our consumer customers running our home security solution had been receiving scam calls by criminals impersonating Trend Micro support personnel. The information that the criminals reportedly possessed in these scam calls led us to suspect a coordinated attack.
Although we immediately launched a thorough investigation, it was not until the end of October 2019 that we were able to definitively conclude that it was an insider threat. A Trend Micro employee used fraudulent means to gain access to a customer support database that contained names, email addresses, Trend Micro support ticket numbers, and in some instances telephone numbers. There are no indications that any other information such as financial or credit payment information was involved, or that any data from our business or government customers was improperly accessed.
Our investigation revealed that this employee sold the stolen information to a currently unknown third-party malicious actor. We took swift action to contain the situation, including immediately disabling the unauthorized account access and terminating the employee in question, and we are continuing to work with law enforcement on an ongoing investigation.
TREND MICRO DOES NOT CALL CONSUMERS UNSOLICITED
If you have purchased our consumer product, you should know that Trend Micro will never call you unexpectedly. If a support call is to be made, it will be scheduled in advance. If you receive an unexpected phone call claiming to be from Trend Micro, hang up and report the incident to Trend Micro support using our official contact details below. We encourage you to please contact us for further assistance if you need any help related to any technical issues that may have arisen from interaction with the scammers. These technical assistance support services, as with all support services, are already covered by your active license subscription.
ADDITIONAL IMPORTANT INFORMATION
- We would like to reassure our business and government customers that our investigations have shown no indication that the criminal has accessed any enterprise customer data.
- While every maliciously accessed data set is one too many, our investigation has shown that this security incident affects less than 1% of Trend Micro’s 12 million consumer customers.
- Our investigation further shows that the criminals were only targeting English-speaking customers, and we have only seen data accessed in predominantly English-speaking countries.
FOR MORE INFORMATION
Official contact information for Trend Micro technical support in your region can always be found at https://esupport.trendmicro.com. Please contact us if you have any questions or concerns.
[Update November 6, 2019: The estimated number of consumer customers affected is 68,000.]