Cyber-security company Trend Micro says the personal data of thousands of its customers has been exposed by a rogue member of staff.
The company says an employee sold information from its customer-support database, including names and phone numbers, to a third party.
It became suspicious after customers started receiving phone calls from scammers posing as Trend Micro staff.
The company says it has contacted those whose details were exposed.
“It’s every security firm’s nightmare for something like this to occur,” cyber-expert and writer Graham Cluley told BBC News.
“You can have all the security in place to prevent external hackers getting in but that doesn’t stop internal staff from taking data and using it for nefarious purposes,” he said.
“If a cyber-security firm like Trend Micro can fall victim to a security breach, it can happen to any company.”
Trend Micro provides cyber-security and anti-virus tools to consumers, businesses and organisations around the world.
In August 2019, it received reports many users of its home security software had been receiving scam phone calls.
The scammers knew so much information about their targets that Trend Micro suspected its customer support database had been breached.
It later found out its systems had not been attacked over the internet and it was instead facing a “malicious insider threat”.
“The suspect was a Trend Micro employee who improperly accessed the data with a clear criminal intent,” the company said in a blog post.
“Our investigation revealed that this employee sold the stolen information to a currently unknown third-party malicious actor.”
The company said it was working with police and the employee in question had been fired.
It said its customer-support staff would never call people “unexpectedly”.
“If a support call is to be made, it will be scheduled in advance. If you receive an unexpected phone call claiming to be from Trend Micro, hang up and report the incident to Trend Micro support using our official contact details below,” the company said.
Trend Micro said fewer than 1% of its 12 million customers had been affected. That means up to 120,000 people may have had their data sold.
A UK ruling that suggests companies can be held responsible if their own staff leak data is currently being challenged by supermarket chain Morrison’s.
In 2014, an internal auditor at the retailer stole the data, including salary and bank details, of nearly 100,000 staff and posted it online.
Andrew Skelton was jailed for eight years in 2015 after being found guilty at Bradford Crown Court of fraud, securing unauthorised access to computer material and disclosing personal data.
However, a group legal action also found the supermarket responsible for the actions of its staff.
The retailer is currently challenging the ruling at the UK’s Supreme Court.