Full Report
An insurance employee has been handed a suspended sentence after illegally accessing personal information
Analysis Summary
# Incident Report: Insider Data Misuse at Insurance Firm
## Executive Summary
An internal investigation at Markerstudy Insurance Services Limited (MISL) uncovered that an accident claims team manager, Rizwan Manjra, illicitly accessed 32,000 customer policies over weekends without legitimate business reason. Evidence revealed he was sending details of this accessed personal information to an external third party via a mobile device. The employee pleaded guilty to offenses under the Computer Misuse Act 1990 and received a suspended sentence.
## Incident Details
- **Discovery Date:** Date of internal investigation conclusion (following flags from third-party insurers).
- **Incident Date:** Occurred over an unspecified period leading up to discovery.
- **Affected Organization:** Markerstudy Insurance Services Limited (MISL)
- **Sector:** Insurance
- **Geography:** UK (Manchester-based company)
## Timeline of Events
### Initial Access
- **Date/Time:** Not specified, occurred over weekends when the employee was not expected to work.
- **Vector:** Authorized internal access credentials (Insider Threat).
- **Details:** Employee, Rizwan Manjra, accessed customer policies outside of normal working hours.
### Lateral Movement
- **Details:** Implied, but internal investigation focused on **data access** rather than network movement. The primary misuse was unauthorized **data access** on internal systems.
### Data Exfiltration/Impact
- **Details:** Personal information related to customer policies was illegally accessed and details were sent to a third party via a mobile device. 32,000 policies accessed.
### Detection & Response
- **Detection:** Triggered by third-party insurers flagging an unusually high number (185) of suspicious claims associated with the individual. MISL conducted an internal investigation.
- **Response Actions:** MISL conducted an internal probe, subsequent ICO investigation, and search of the suspect’s home. Legal action followed, resulting in a court appearance.
## Attack Methodology
- **Initial Access:** Authorized user credentials used outside authorized scope/time.
- **Persistence:** Maintained access via legitimate employment role.
- **Privilege Escalation:** Not applicable; access was based on existing staff privileges.
- **Defense Evasion:** Access occurred primarily during off-hours (weekends) when monitoring might have been reduced. The data was exfiltrated externally using a "mobile device."
- **Credential Access:** Not applicable (used existing credentials).
- **Discovery:** The perpetrator used their role to likely search for claims data relevant to the third party.
- **Lateral Movement:** Not the primary focus; actions stayed within scope of authorized data repositories used for claims.
- **Collection:** Accessing and compiling details from 32,000 customer policies.
- **Exfiltration:** Sending details of personal information to a third party via a mobile device.
- **Impact:** Unlawful processing and disclosure of personal data.
## Impact Assessment
- **Financial:** Not disclosed, but implied legal and regulatory costs for MISL and the subsequent prosecution costs.
- **Data Breach:** Personal information related to an estimated 32,000 customer policies accessed and potentially shared.
- **Operational:** Minor operational disruption primarily related to the internal investigation.
- **Reputational:** Negative publicity stemming from the criminal conviction and ICO involvement.
## Indicators of Compromise
- **Network indicators:** Sending data off-network via a **mobile device** (potential use of personal data plans or non-corporate channels).
- **File indicators:** Access to large volumes of policy data files outside of assigned workload or standard access patterns.
- **Behavioral indicators:** Accessing 32,000 policies, over 90% of which were not assigned to the individual's team, particularly happening during weekends.
## Response Actions
- **Containment measures:** Internal investigation initiated immediately upon third-party flagging. Access privileges of the employee were likely revoked pending investigation outcome.
- **Eradication steps:** The individual was charged and subsequently sentenced. The company confirmed the scope of the breach.
- **Recovery actions:** Not detailed, but standard procedure would involve auditing access logs and potentially notifying affected data subjects (if required by GDPR/DPA).
## Lessons Learned
- **Key Takeaways:** Insider threats remain a significant risk, especially when individuals are in positions of trust (managerial roles). Unsupervised access patterns (e.g., massive data queries on weekends) can indicate misuse.
- **What could have been done better:** Stricter, automated monitoring thresholds for viewing large volumes of sensitive data, particularly outside declared working hours, could have potentially detected the activity sooner.
## Recommendations
- **Prevention measures for similar incidents:** Implement robust User Behavior Analytics (UBA) to flag anomalous access volumes or off-hours usage of sensitive databases, even by authorized personnel.
- **Review access controls:** Ensure the principle of least privilege is strictly enforced, limiting access to claimant data only to those actively managing those specific cases, regardless of seniority.
- **Device policy enforcement:** Review and strictly enforce policies regarding the use of personal mobile devices in conjunction with accessing sensitive corporate data for exfiltration purposes.