Could DLP have prevented BoE Bookend disclosure?

    The Bank of England accidentally sent information about a research project to a journalist at The Guardian to identify the financial risk of the United Kingdom leaving the European Union. Could an effective Data Loss Prevention (DLP) strategy have stopped this breach?

    DLP is about ensuring users do not send confidential or classified information outside the corporate network, driven by threats from inside businesses and legal duties to protect personal data. The key questions asked are:

    • Where is the data located?
    • Who has access to the data?
    • How is the data being used?
    • How can we prevent it from being lost or stolen?

    Nobody has suggested that someone intentionally leaked Project Bookend details to the media, nor that the breach was in any way malevolent. However, with the right policies and systems, accidental and malicious data losses are preventable.

    An effective DLP solution would include:

    • Monitoring specific files or project directories identified as confidential
    • Network and endpoint monitoring to track access, data transfer or writing files to USB devices
    • Detection of uploads to social media sites or to file storage services such as Dropbox
    • Specific profiling of data defined such as bank account numbers, National Insurance numbers, insurance policy numbers, postcodes or credit card numbers
    • Networks and endpoint monitoring to track data transfers of files containing profiled data structures, allowing for cases where someone adds confidential data to other files which would not usually attract attention
    • Integration with email services and other network protocols to intercept and block the transmission of data where attachments contain content that matches the defined profile of confidential data

    An attempt to send the files externally would trigger interception of the email and prevent it from being transmitted; essentially, it would be a quarantine of the entire email along with any attachments for further investigation by an information security analyst.