Could DLP have prevented BoE Bookend disclosure?

Information about the Bank of England’s research project to identify financial risk associated with the United Kingdom leaving the European Union was accidently sent to a journalist at The Guardian. Could an effective Data Loss Prevention (DLP) strategy have stopped this breach in its tracks?

DLP is about making sure users do not send confidential or classified information outside the corporate network and is largely driven by a combination of threats from inside businesses and legal duties to protect personal data. The key questions asked are:

  • Where is the data located?
  • Who has access to the data?
  • How is the data being used?
  • How can we prevent it from being lost or stolen?

It has not been suggested that details of Project Bookend were intentionally leaked to the media, nor that the breach was in any way at all malevolent. However, with the right policies and systems in place, both accidental and malicious data losses are preventable.

An effective DLP solution would include:

  • Specific files or project directories identified as confidential and subjected to monitoring
  • Network and endpoint monitoring to track access, data transfer or writing files to USB devices. Also, detection of uploads to social media sites or file storage services such as Dropbox.
  • Specific profiling of data defined such as bank account numbers, National Insurance numbers, insurance policy numbers, post codes or credit card numbers
  • Networks and endpoint monitoring to track data transfers of files containing profiled data structures allowing for cases where confidential data has been added to other files which would not normally attract attention
  • Integration with email services and other network protocols to intercept and block the transmission of data where attachments contain content that matches the defined profile of confidential data

In the case of the Bank of England, data pertaining to Project Bookend could have been classified as confidential and tracked internally. An attempt to send the files outside the perimeter would trigger interception of the email and prevent it from being transmitted; essentially a quarantine of the entire email along with any attachments for further investigation by an Information Security analyst.