The Insider Threat: Lessons from the MISL Data Breach

In a recent case that underscores the growing risks of insider threats, Rizwan Manjra, a former manager at Markerstudy Insurance Services Limited (MISL), was found guilty of unlawfully accessing and transmitting personal claimant data.The breach involved over 32,000 policies, with 90% of the accessed claims not even assigned to his team. While the case itself highlights the need for stricter security controls, it also exposes key failures in fraud detection and insider threat monitoring that many organizations struggle with today.

‍

1. Large Quantity & Off-Hours Access: A Missed Red Flag

One of the most immediate concerns in this breach was Manjra’s pattern of accessing large quantities of sensitive data, often during off-hours. Employees working extensively outside of normal business hours—especially in data-sensitive roles—should be a clear red flag. Many security and fraud prevention systems are designed to monitor such behavior, as unusual access times often correlate with malicious activity. In addition, Manjra’s file access rate far-surpassed his expected usage and, likely, the usage of his peers. Had a proper anomaly detection system been in place, this unusual behavior could have triggered an alert long before the breach escalated.

‍

2. Data Was Accessed and Transmitted:A Sign of Financial Motive

This was not merely an issue of unauthorized data viewing; Manjra actively removed and transmitted the data to a third party. This suggests a financial or incentive-based motivation, likely involving the sale of claimant information.Organizations must recognize that insider threats often involve a financial driver, and they should implement solutions that detect and prevent mass data exfiltration. Access to behavioral patterns and sentiment analysis can also herald high-risk actions far before an incident has taken place.  Had MISL deployed systems capable of tracking data transfers and gaining awareness of user activity, this breach could have been prevented or mitigated early on.

‍

3. Lack of Fraud Detection Systems

Another glaring issue in this case was the lack of adequate fraud detection systems at MISL. Manjra was able to access thousands of claims that were outside his job scope without triggering alarms. A robust fraud detection framework should include:

• User Behavior Analytics (UBA): Tracking anomalies in data access patterns.
• Role-Based Access Controls (RBAC): Limiting data access strictly to relevant personnel.
• Automated Alerts: Triggering security reviews when employees access excessive or unauthorized data.

‍

Had MISL implemented these measures, Manjra’s unauthorized access to such a large volume of data would have been flagged much earlier.

‍

4. A Third Party, Not MISL, Discovered the Breach

Perhaps the most concerning aspect of this case is that a third party—rather than MISL’s internal security tools—identified and reported the breach. This highlights a critical weakness in many organizations: privileged users often evade internal detection. Security systems must be designed not only to prevent external cyber threats but also to monitor privileged insiders effectively.Best practices to address this gap include:

• Privileged Access Monitoring: Tracking all activities by employees with elevated permissions.
• Real-Time Alerts for Unusual Behavior: Immediate notifications when users access high volumes of data unexpectedly.
• Regular Security Audits: Ensuring that access policies are regularly reviewed and enforced

‍

How InnerActiv Would Have Detected This Breach

InnerActiv provides an advanced security solution that excels in detecting insider threats like the MISL breach.

• Comprehensive User Monitoring: InnerActiv can analyze actions by all users, including the more challenging actions     performed by privileged users, ensuring no one operates outside of their     designated roles unnoticed. By continuously tracking user behavior, InnerActiv identifies deviations from normal patterns, reducing the risk     of insider threats.
• Fraud Detection Module: InnerActiv’s fraud module identifies abnormal actions within MISL’s applications or cloud portals, signaling when data may be at risk or when applications are being misused. By leveraging AI-driven analytics, InnerActiv can differentiate between routine access and potentially harmful activities.
• Behavior-Based Anomaly Detection: InnerActiv’s algorithms detect anomalies such as off-hours access, excessive data requests, and unauthorized file transfers. These indicators are then correlated to provide real-time risk assessments.
• Real-Time Alerts and Response: Time to detect and time to remediate are crucial, and InnerActiv prioritizes both. Automated alerts notify security teams immediately when suspicious behavior is detected, enabling quick response and containment before data is exfiltrated or misused.
• Reducing External Dependencies: Instead of relying on third parties to discover breaches, organizations using InnerActiv can proactively detect and mitigate threats internally, ensuring that security lapses are identified in real time.

By deploying InnerActiv, MISL could have significantly reduced the risk of insider threats, detected unauthorized access much earlier, and taken immediate remediation steps to prevent data loss.

‍

Strengthening Insider Threat Defenses

The MISL breach, while certainly not one-of-a-kind, serves as a reminder that insider threats are just as dangerous as external cyber-attacks. Organizations must proactively implement monitoring systems that detect off-hours access, identify unusual data transfers, enforce strict fraud detection controls, and ensure that security teams—not external parties—are the first to discover breaches. By taking these steps, companies can reduce their risk exposure and protect sensitive customer data from internal misuse.

‍