TeamViewer Trust Center

Eight days after the cyber security incident was first detected on June 26, and after exhausting all relevant investigative options, we have concluded the main incident response and investigation phase. Based on the results of our diligent investigation together with leading cyber security experts from Microsoft, we reconfirm that the incident was contained to our internal corporate IT environment. This means, neither our separated product environment, nor the connectivity platform, nor any customer data has been touched.

These findings confirm that our software solutions have at all times been safe to use. We appreciate our customers’ continued trust in our products, security posture and incident response capabilities.

All immediate remediation measures that we put in place regarding our internal corporate IT environment as well as the additional protection layers that we established have proven to be very effective: there was no suspicious activity in our internal corporate IT environment after our security teams blocked the attack immediately upon detection.

We take the threat very seriously and continue to investigate and monitor the situation vigilantly. This statement concludes our regular status updates on this incident.

Security remains core to our DNA, and we will continue to invest into our best-in-class cyber security posture as we have done in recent years.

As the investigation progresses, we reconfirm that the attack has been contained to our internal corporate IT environment. Most importantly, our assessment reconfirms that it did not touch our separated product environment, nor the TeamViewer connectivity platform, nor any customer data. According to current findings the threat actor leveraged a compromised employee account to copy employee directory data, i.e. names, corporate contact information, and encrypted employee passwords for our internal corporate IT environment. We have informed our employees and the relevant authorities.

The risk associated with the encrypted passwords contained in the directory has been mitigated in collaboration with leading experts from our incident response partner Microsoft. We hardened authentication procedures for our employees to a maximum level and implemented further strong protection layers. Additionally, we have started to rebuild the internal corporate IT environment towards a fully trusted state.

We will continue our thorough investigation and provide updates in our Trust Center as new information becomes available.

In collaboration with globally leading cyber security experts and relevant government authorities, our security teams continued their diligent investigation of the reported incident. Today’s findings strengthened our assessment that the attack was contained within TeamViewer’s internal corporate IT environment and did not touch the product environment, our connectivity platform, or any customer data. We therefore reconfirm our previous statements.

Given our strong commitment to security, we take the threat very seriously. We will continue our thorough investigation over the next days to enrich the collected evidence further and exhaust all investigative options. We will continue to provide updates in our Trust Center as new information becomes available.

A comprehensive taskforce consisting of TeamViewer’s security team together with globally leading cyber security experts has worked 24/7 on investigating the incident with all means available. We are in constant exchange with additional threat intelligence providers and relevant authorities to inform the investigation.

Current findings of the investigation point to an attack on Wednesday, June 26, tied to credentials of a standard employee account within our Corporate IT environment. Based on continuous security monitoring, our teams identified suspicious behavior of this account and immediately put incident response measures into action. Together with our external incident response support, we currently attribute this activity to the threat actor known as APT29 / Midnight Blizzard. Based on current findings of the investigation, the attack was contained within the Corporate IT environment and there is no evidence that the threat actor gained access to our product environment or customer data.

Following best-practice architecture, we have a strong segregation of the Corporate IT, the production environment, and the TeamViewer connectivity platform in place. This means we keep all servers, networks, and accounts strictly separate to help prevent unauthorized access and lateral movement between the different environments. This segregation is one of multiple layers of protection in our ‘defense in-depth’ approach.

Security is of utmost importance for us, it is deeply rooted in our DNA. Therefore, we commit to transparent communication to stakeholders. We will continue to update the status of our investigations in our Trust Center as new information becomes available. We expect to post the next update by end of today CEST.