As businesses continue to become increasingly digital-first, the safeguarding of sensitive information has become absolutely paramount. From SMEs to large organisations, the potential ramifications of data breaches extend far beyond financial penalties, impacting reputation, customer trust, operational continuity, and so much more.
While external cyber attacks often dominate headlines, a significant and often underestimated threat originates from within an organisation: the insider threat. Recent legal cases serve as stark reminders of the critical importance of robust data loss protection strategies to mitigate the risks posed by individuals with privileged access to sensitive data.
This informative guide will explore three recent instances of data loss stemming from insider actions, highlighting the methods employed, the actions taken by the Information Commissioner’s Office (ICO), the consequences faced by the perpetrators, and, crucially, how effective data loss protection measures can help prevent such incidents.
We will examine the cases of Rizwan Manjra, Debbie Okparavero and Maliha Islam, and Jonathan Riches, each illustrating different facets of insider threat and underscoring the necessity of robust and reliable data loss protection.
Case 1: Rizwan Manjra
The first case we will explore involves Rizwan Manjra, a 44-year-old motor insurance worker from Bolton, employed by Markerstudy Insurance Services Limited (MISL) in Manchester city centre. Manjra held a position within a team responsible for handling accident claims, granting him access to a significant volume of personal data.
However, an internal investigation, triggered by concerns raised by third-party insurers regarding an unusually high number of claims being processed, revealed a disturbing pattern of unauthorised access.
It was discovered that Manjra had accessed a staggering 160 claims that were not even referred to his team, and for which he had no legitimate work-related reason to view. This unauthorised access alone raises serious questions about internal controls and the monitoring of employee activity.
Further investigation by MISL uncovered even more alarming behaviour. Manjra was found to have accessed over 32,000 policy records during weekends, periods when he was neither scheduled to work nor claiming overtime. This significant volume of off-hours access strongly suggested malicious intent, indicating a systematic effort to gather information outside the scope of his duties.
The investigation culminated in the discovery that Manjra had been sending personal data he had accessed via his mobile phone to an external party. This act of exfiltration represents a clear breach of trust and a serious violation of data protection principles.
Upon being alerted by MISL, the Information Commissioner’s Office (ICO) launched a thorough investigation, which included a search of Manjra’s residence. The evidence gathered led to his being charged under the Computer Misuse Act 1990.
The subsequent legal proceedings at Manchester Crown Court saw Manjra plead guilty to unlawfully accessing personal data on 30th October 2024. The sentencing, delivered on 11th December 2024, resulted in a six-month prison term, suspended for two years, and an order to complete 150 hours of unpaid work.
This case underscores the potential for significant data breaches even within established organisations and highlights the importance of not only having robust access controls but also actively monitoring user activity to detect anomalies that could indicate malicious behaviour.
Effective data loss protection strategies would involve stringent access management, regular auditing of access logs and technologies to prevent the unauthorised transfer of sensitive data outside the organisation’s control.
Case 2: Debbie Okparavero and Maliha Islam
Our second case concerns a pair of individuals, Debbie Okparavero, 61, and Maliha Islam, 51, both employed as customer service specialists at the RAC’s call centre in Stretford, Manchester. Their actions demonstrated a deliberate and coordinated effort to exploit their access to customer data for financial gain.
Okparavero and Islam unlawfully accessed and subsequently sold over 29,500 lines of personal information relating to individuals involved in road traffic accidents. This scale of data theft is substantial and could have significant consequences for the individuals whose data was compromised, potentially exposing them to unsolicited contact, scams or even identity theft.
The discovery of their misconduct was a direct result of the RAC’s proactive investment in enhanced security measures. The installation of new security monitoring software proved instrumental in flagging Okparavero’s unauthorised access and the subsequent copying of personal data.
This highlights the crucial role that technology plays in data loss protection, particularly in detecting unusual patterns of data access and usage that might otherwise go unnoticed.
Further investigation revealed the extent of the collaboration between Okparavero and Islam. It was found that Okparavero had shared the stolen information with Islam via WhatsApp, a clear indication of a premeditated plan to exfiltrate and distribute the data.
Worryingly, messages exchanged between the two suggested that a third party was providing payment for this illegally obtained information, indicating a potential network involved in the illicit trade of personal data.
The RAC promptly alerted the Information Commissioner’s Office (ICO), leading to charges being brought against both individuals under the Computer Misuse Act 1990 and the Data Protection Act 2018. On 8th October 2024, at Minshull Street Crown Court, both Okparavero and Islam pleaded guilty to the charges. They each received a six-month prison term, suspended for 18 months, and were ordered to complete 150 hours of unpaid work.
This case powerfully illustrates how insider threats can manifest as deliberate acts of data theft driven by financial incentives. It underscores the need for not only technological data loss protection measures but also robust employee training and awareness programs that highlight the ethical and legal implications of data misuse.
Furthermore, stringent access controls and the monitoring of communication channels for unusual data sharing activities are vital components of a complete security posture.
Case 3: Jonathan Riches
The final case we will examine involves Jonathan Riches, 46, whose actions demonstrate a longer-term and more calculated exploitation of his former access privileges. Riches unlawfully accessed motorists’ personal data from his previous employer, Enterprise Rent-A-Car, over a period spanning from 2009 to 2011. His motive was clear: to obtain leads for his own personal injury firm, which he established after leaving Enterprise in 2009.
Despite no longer being employed by the company, Riches maintained contact with former colleagues, leveraging these relationships to gain unauthorised access to Enterprise’s internal database. This allowed him to obtain the personal details of individuals involved in road traffic accidents, whom he then contacted to offer his legal services.
The fact that Riches’s unauthorised access continued for such an extended period highlights potential weaknesses in Enterprise Rent-A-Car’s access revocation processes and their ability to detect and prevent former employees from accessing sensitive systems.
While the initial consequence for Riches was a significant £300,000 civil settlement ordered in favour of Enterprise Rent-A-Car, the ICO’s criminal investigations team subsequently became involved. Riches was interviewed and summoned to court in 2016.
However, he had by this time relocated to the United States and failed to appear, leading to the issuance of a warrant for his arrest. It was not until 2024 that he returned to the UK and surrendered to the authorities.
The legal proceedings at Cardiff Crown Court concluded on 13th August 2024, with Riches pleading guilty to an offence under Section 55 of the Data Protection Act 1998. He was ultimately fined £10,000 and ordered to pay £1,700 in costs. This case serves as a reminder that the threat of data loss can persist even after an employee leaves an organisation.
Robust data loss protection strategies must include not only stringent access control measures for current employees but also effective offboarding processes that ensure all access rights are immediately and completely revoked upon termination of employment.
Moreover, the ability to detect and audit historical data access patterns can be crucial in identifying unauthorised activity. The importance of data loss protection extends to ensuring that former employees cannot exploit past connections to gain illicit access to sensitive information.
These three distinct cases – Rizwan Manjra’s opportunistic data theft, Debbie Okparavero and Maliha Islam’s financially motivated scheme, and Jonathan Riches’s calculated exploitation of past access – collectively underscore the multifaceted nature of insider threats and the critical need for effective and reliable data loss protection strategies.
These incidents demonstrate that data loss can occur through various means, from unauthorised access and copying to deliberate exfiltration and the exploitation of past privileges. The consequences for both the individuals involved and the organisations affected can be severe, ranging from criminal prosecution and reputational damage to significant financial penalties and loss of customer trust.
How to identify a careless or malicious user and prevent data loss
Identifying careless or malicious users within an organisation requires a multi-faceted approach, combining technological monitoring with an understanding of human behaviour. A careless user isn’t necessarily acting with malicious intent – their actions are often simple mistakes, yet the consequences can be just as devastating as a malicious attack.
Common careless actions include misdirected emails (which are alarmingly frequent and often contain sensitive data), engaging with phishing attacks, sharing data with the wrong person or organisation, or installing unauthorised software. Such errors can lead to business disruption and reputational damage.
In contrast, a malicious user intentionally seeks to cause harm or gain illicitly. While some warning signs are more overt, such as employees facing disciplinary action or those passed over for promotions, other risks are harder to spot, like individuals experiencing financial hardship, mental health challenges or addiction.
These vulnerabilities can make employees more susceptible to committing malicious acts for financial gain. Key indicators for both careless and malicious users include unusual login patterns (e.g., accessing systems outside work hours), accessing data irrelevant to their role, excessive data downloads or transfers, or attempts to bypass security controls.
Proactive monitoring, robust access controls and comprehensive employee training are crucial in mitigating both types of insider threats.
How can Net-Defence help your business with data loss protection?
We understand that robust data loss protection demands a multi-faceted approach, addressing both technological vulnerabilities and human factors. We offer a complete suite of cyber resilience services designed to safeguard your sensitive information and mitigate the risks highlighted in recent data loss cases. These practical and accessible solutions can be tailored to the needs of your business.
A foundational service we provide is the Cyber Essentials Certification Scheme. As an IASME certifying body, we simplify the process of achieving either the basic or the more rigorous Cyber Essentials Plus certification. These government-backed schemes demonstrate a proactive stance against common cyber threats, reducing your data loss risk and assuring stakeholders of your security commitment.
To enhance your security posture, our Security Operations Centre (SOC) service offers 24/7 real-time monitoring and rapid incident response. By leveraging advanced threat intelligence and analytics, our SOC proactively detects and neutralises potential threats, providing constant vigilance against unauthorised access and data breaches.
Our Cyber Security & Resilience Bundles combine relevant certifications like Cyber Essentials and IASME Cyber Assurance, offering an effective combination of protection and cost savings. IASME Cyber Assurance assesses people, processes and technology, demonstrating your commitment to cyber security and data protection, significantly reducing your risk of data loss from internal and external attacks.
The Cyber Risk Assurance service, built on the IASME Cyber Assurance standard, offers an accessible cyber security framework, particularly for smaller organisations. This risk-based approach focuses on your ISMS, helping you establish essential controls to prevent data mishandling and loss.
For a globally recognised standard, our ISO 27001 Certification services provide a comprehensive framework for managing information security risks. We offer expert guidance through gap analysis, implementation, risk assessment, and the certification process, bolstering your data loss protection and fostering a culture of continuous security improvement.
Beyond certifications, our Compliance services include crucial security testing, such as phishing simulations to identify weaknesses that could lead to data breaches. Our training programmes educate your staff, building a security-conscious culture and reducing the risk of data loss due to human error.
Finally, our CIS benchmarking service helps secure your SaaS platforms by aligning with industry best practices, thereby reducing the risk of cloud-based data breaches. For those handling payment data, our PCI DSS certification services ensure a secure payment environment and prevent the loss of sensitive financial information.
By partnering with Net-Defence, you gain access to specialist knowledge and proactive strategies to strengthen your data loss protection and safeguard your valuable data from both internal and external threats. Contact us today to discuss your specific needs and discover how our services can help you build a more resilient and secure organisation.
