The maths is brutally simple: $2,760 (Rs. 2.35 lacs) investment, $140 million (Rs. 1,200 crores) return. That’s the economics of insider threats in 2025 and it’s keeping CEOs awake at night. The recent Brazilian banking heist, where a single IT operator sold his credentials for pocket change and enabled one of the largest digital thefts in history, isn’t an anomaly—it’s a preview of what’s coming to corporate India.
Internal threats have become the bane of enterprises today. With more and more business functions being offloaded to machines, smartphones and cloud infrastructure, each access point is controlled by credentials in the hands of few “privileged” employees. Managing these data access points has become exponentially harder, especially when the threat comes from within.
Take the KiranaPro incident that made headlines earlier this year. The Indian grocery startup was allegedly hacked by a disgruntled employee who deleted their servers, bringing operations to a grinding halt. Co-founder and CEO Deepak Ravindran’s candid admission that they were “hacked and servers deleted” sent shockwaves through the startup ecosystem.
Here was a company that had raised millions, built a promising platform and was taken down not by sophisticated hackers halfway across the world, but by someone who probably knew where the office coffee machine was kept.
But the Brazilian banking heist reads like something straight out of a Bollywood thriller. Picture this: mysterious criminals approach João Nazareno Roque outside a bar near his home in March. It’s the kind of shadowy recruitment you’d expect to see in a James Bond film—strangers materialising from the darkness, making an offer too tempting to refuse. Except this wasn’t Daniel Craig dodging bullets in Monte Carlo; this was a 30-year-old IT operator in São Paulo being handed R$5,000 for his company credentials.
The plot thickens with early morning clandestine operations that would make any spy movie director proud. Between 4 a.m. and 7 a.m. on 30 June, while most of Brazil slept, the criminals executed their plan with military precision.
Roque later told investigators he communicated with at least four different voices during the attack—all young men coordinating the digital heist in real time. He changed phones every 15 days, never met his co-conspirators beyond that initial bar encounter and claimed that he helped create specialised software to enable the breach.
If this were a movie, audiences would roll their eyes at the implausible plot. But this wasn’t fiction—it was a real-life $140 million heist that unfolded like a perfectly scripted thriller. As it is often said, “truth is stranger than fiction”.
What makes these incidents particularly unsettling is how they blur the line between Hollywood fiction and corporate reality. These aren’t master criminals operating from hidden lairs, but they’re far from amateurs either.
The fact that Roque’s handlers sounded like “young men” and maintained complete anonymity suggests a new breed of cybercriminal—tech-savvy professionals who’ve perfected the art of digital heists while maintaining operational security that would impress intelligence agencies. The $140 million result speaks to their competence, not their inexperience.
The scale of potential damage is staggering. In Brazil, six financial institutions lost access to their reserve accounts in under three hours. The attack targeted C&M Software, which connects smaller banks to Brazil’s central banking system, including the Pix instant payment platform. By compromising one intermediary, criminals gained access to multiple institutions simultaneously. It’s like having a master key that opens every door in the building.
Indian enterprises face similar vulnerabilities. The country’s rapid digital transformation has created countless access points, from fintech platforms handling millions of transactions to startups managing sensitive customer data. The Paytm data breach concerns, various cryptocurrency exchange incidents and multiple cases of employee data theft highlight how widespread these risks have become.
So how can organisations protect themselves against the enemy within? The answer isn’t just technical—it’s about rethinking trust itself.
First, access control needs to move beyond traditional approaches. Instead of zero-trust architectures (ZTA), which many enterprises struggle to implement effectively, organisations should adopt multi-person authorisation for high-value assets. Think of it like a bank locker system—you need two synchronised keys, one with the customer and another with a bank employee. Both parties must be present to access the vault.
This principle should apply to critical digital assets. And these need not be physical (like individuals to be present for authentication/authorisation). It can be digital, with three-factor authentication. Of the three factors, two factors could be smartphones of two senior and trusted team members.
For sensitive operations like fund transfers, system administration or data access, require approval from multiple individuals. If the Brazilian banking incident had required a second employee to authorise those early morning transactions, corrupting two people simultaneously would have been exponentially more difficult than compromising one IT operator outside a bar.
Today’s multi-factor authentication assumes the outside world is dangerous but the individual user is trustworthy. The Brazilian case proves this assumption wrong—both the external criminals and the internal employee were compromised. A dual-person control system creates redundancy that protects against exactly this scenario.
Second, behavioural monitoring can catch anomalies before they become disasters. When someone suddenly starts accessing systems they’ve never used before or downloading unusual amounts of data, automated systems should flag these activities.
The Brazilian attack might have been detected if someone had noticed the compromised credentials being used to issue transfer orders (fraudulent) at 4 a.m.—activity that should have raised immediate red flags given the unusual timing and the operator’s normal work patterns.
Third, employee screening and ongoing monitoring need serious upgrades. Financial stress, job dissatisfaction and personal grievances are predictable risk factors. HR departments should work closely with security teams to identify employees who might be vulnerable to recruitment or prone to malicious behaviour.
Fourth, organisations must establish clear standard operating procedures (SOP) for immediate access revocation. The moment an employee with access to critical resources shows signs of compromise, resignation or termination, there should be protocols for instantly disabling hardware keys, tokens, biometric identifications, passwords and all system access.
This isn’t just about IT systems—it includes physical access cards, cloud platform permissions and third-party service accounts. The Brazilian incident demonstrates how quickly compromised credentials can be exploited; organisations need response times measured in minutes, not hours or days.
Fifth, access to data servers and critical resources should implement geographical and network-based restrictions. Organisations should limit access to specific IP addresses or only allow connections from countries or areas where they have legitimate business presence.
Terminal servers require additional protection through specialised gatekeeper technologies like eScan’s Terminal Server Protection Module (TSPM), which acts as a security barrier controlling access from external networks. These measures create additional hurdles for attackers, even when they have compromised credentials.
Finally, incident response planning must account for insider threats. When the attack comes from within, traditional security measures may be useless. Organisations need protocols for rapidly identifying compromised accounts, isolating affected systems and preventing further damage.
The uncomfortable truth is that perfect security is impossible when humans are involved. But as the Brazilian banking heist demonstrates, the cost of inadequate security can be catastrophic. The question isn’t whether your organisation will face an insider threat—it’s whether you’ll be prepared when it happens.
After all, in a world where Rs. 2.35 lacs can buy you Rs. 1,200 crores worth of damage, the price of prevention looks like a bargain.
The author is CEO and MD, eScan. Views are personal.
