Oops! Trend open CC's hosted security clients

Security vendor Trend Micro accidentally e-mailed a planned outage notification to over 1200 of its Australian customers with their e-mail addresses in the open CC field.

While not the worst kind of data leak, the mistake has left the vendor somewhat red faced and contrite. Following enquiries from Risky.Biz last week the company e-mailed the users affected by the blunder.

"Unfortunately a mistake was made and recipient emails were added to the CC portion of the message, instead of the BCC portion, which caused several emails to be visible," the e-mail read. "Trend Micro takes our customers' privacy very seriously and is taking the necessary steps to prevent this from happening again. Please accept our sincerest apologies."

The accidental exposure of clients' e-mail addresses is reminiscent of rival vendor McAfee's leak of 1400 Australian IT security professionals' details in July last year.

As trivial as this leak may seem, security consultants say the data could be useful to attackers. They could, for example, stage a phishing attack to try to obtain the customers' login details to the hosted service, Trend's InterScan Messaging Hosted Security (IMHS).

"A list like this is of great value to an attacker. They have the direct, correct email address of the user operating the service the attacker is looking to phish," one said.

Maintainer of the Open Source Vulnerability database, Brian Martin, agreed. "Not only can I phish, I can craft an attachment that I know Trend can't scan," he told Risky.Biz.

However, all agree the disclosure won't increase risks faced by the affected organisation in a significant way.

Follow Risky Business on Twitter here.

Listen to the Risky Business podcast here.