Could DLP have prevented BoE Bookend disclosure?

The Bank of England’s accidentally sent information about the research project to identify financial risk associated with the United Kingdom leaving the European Union to a journalist at The Guardian. Could an effective Data Loss Prevention (DLP) strategy have stopped this breach in its tracks?

DLP is about making sure users do not send confidential or classified information outside the corporate network; driven by a combination of threats from inside businesses and legal duties to protect personal data. The key questions asked are:

  • Where is the data located?
  • Who has access to the data?
  • How is the data being used?
  • How can we prevent it from being lost or stolen?

Nobody has suggested that someone intentionally leaked Project Bookend details leaked to the media, nor that the breach was in any way malevolent. However, with the right policies and systems in place, both accidental and malicious data losses are preventable.

An effective DLP solution would include:

  • Specific files or project directories identified as confidential and subjected to monitoring
  • Network and endpoint monitoring to track access, data transfer or writing files to USB devices
  • Detection of uploads to social media sites or to file storage services such as Dropbox
  • Specific profiling of data defined such as bank account numbers, National Insurance numbers, insurance policy numbers, postcodes or credit card numbers
  • Networks and endpoint monitoring to track data transfers of files containing profiled data structures allowing for cases where confidential data is added to other files which would not usually attract attention
  • Integration with email services and other network protocols to intercept and block the transmission of data where attachments contain content that matches the defined profile of confidential data

In the case of the Bank of England, data about Project Bookend could have been classified as confidential and tracked internally. An attempt to send the files outside the perimeter would trigger interception of the email and prevent it from being transmitted; essentially a quarantine of the entire email along with any attachments for further investigation by an Information Security analyst.