Full Report
Fresh penalties secured after initial prison, community service sentences for RAC double act
Analysis Summary
# Incident Report: RAC Insider Threat and Data Trafficking
## Executive Summary
Two employees of the roadside assistance company RAC engaged in an insider threat scheme to exfiltrate and sell the personal data of approximately 29,500 car crash victims to an unidentified third party. The incident resulted in criminal convictions, suspended prison sentences, and recent significant financial recovery orders totaling over £118,000 under the Proceeds of Crime Act.
## Incident Details
- **Discovery Date:** Circa 2024 (Investigation concluded/Sentencing 2024-2026)
- **Incident Date:** Prior to 2024
- **Affected Organization:** RAC (Roadside Assistance Company)
- **Sector:** Automotive/Insurance/Services
- **Geography:** UK (Salford and Manchester)
## Timeline of Events
### Initial Access
- **Date/Time:** Undisclosed (duration of employment)
- **Vector:** Authorized Insider Access
- **Details:** Debbie Okparavero used her legitimate credentials as an employee to access internal databases containing accident victim information.
### Lateral Movement
- **Movement:** Not applicable in a traditional sense; however, data was moved from corporate systems to a personal device via unauthorized copying.
### Data Exfiltration/Impact
- **Exfiltration:** Okparavero copied approximately 29,500 lines of personal data.
- **Transfer:** The data was shared with co-conspirator Maliha Islam via WhatsApp.
- **Sale:** The data was subsequently sold to an unknown third-party buyer.
### Detection & Response
- **Detection:** RAC internal monitoring software detected Okparavero copying data from the systems.
- **Internal Response:** RAC conducted an investigation and reported the breach to the Information Commissioner’s Office (ICO).
- **Legal Response:** Criminal prosecution under the Computer Misuse Act and Data Protection Act; subsequent Proceeds of Crime Act (POCA) proceedings.
## Attack Methodology
- **Initial Access:** Valid employee credentials.
- **Persistence:** Not applicable (Insider access).
- **Privilege Escalation:** None required; the employees utilized existing access to customer records.
- **Defense Evasion:** Use of encrypted messaging (WhatsApp) for peer-to-peer data sharing outside of corporate monitored channels.
- **Credential Access:** Authorized access.
- **Discovery:** Queries of RAC accident databases.
- **Collection:** Copying/exporting database records.
- **Exfiltration:** Copying data to personal devices/third-party applications.
- **Impact:** Compromise of nearly 30,000 records; financial gain for attackers.
## Impact Assessment
- **Financial:** Total of £128,799.82 in confiscation orders against the perpetrators; undisclosed costs for RAC investigation and legal fees.
- **Data Breach:** ~29,500 lines of data (car crash victims’ personal information).
- **Operational:** Diversion of resources to internal and regulatory investigations.
- **Reputational:** Public disclosure of the breach and the vulnerability of customer accident data.
## Indicators of Compromise
- **Network indicators:** N/A (Internal activity).
- **File indicators:** Large volume data exports/copying commands from database workstations.
- **Behavioral indicators:** Unusual data access patterns; use of personal messaging apps to discuss corporate data transfers.
## Response Actions
- **Containment:** Monitoring software triggered an alert, stopping the ongoing activity.
- **Eradication:** Termination of the employees involved.
- **Recovery:** Cooperation with the ICO to prosecute and reclaim criminal assets.
## Lessons Learned
- **Monitoring Effectiveness:** Specialized monitoring software was successful in flagging unauthorized data copying that would have otherwise gone unnoticed.
- **Insider Threat:** Authorized users remain one of the highest risks to data privacy, particularly in industries involving high-value "lead" data (like accident claims).
- **Legal Recourse:** The use of the Proceeds of Crime Act (POCA) is an effective tool for stripping financial incentives from cybercriminals.
## Recommendations
- **DLP Implementation:** Enhance Data Loss Prevention (DLP) tools to block the transfer of sensitive data to webmail or messaging platforms.
- **Restrictive Access:** Implement the "Principle of Least Privilege" (PoLP) to ensure employees only see the records necessary for their specific tasks.
- **USB/Media Control:** Physically and logically disable the use of external storage devices on workstations handling sensitive data.
- **Audit Logging:** Maintain and regularly review logs for "bulk export" or "print" actions involving customer databases.