#28 CASE STUDY - NO DATA LOSS PREVENTION (DLP)

"I just send me a copy of the client list with WeTransfer to finish work at home." 

COMPANY 

  • Sector: Legal Services 

  • Size: 90 employees 

  • Location: Brussels 

FACTS & FIGURES 

  • No restrictions on file transfer services (WeTransfer, Dropbox, Gmail) 

  • Employee uploaded 5,000 client records to a personal WeTransfer account 

  • Business Impact: Uncontrolled data exfiltration and GDPR breach 

STORY 

At a law firm in Brussels, one employee needed to continue working on a client list outside of office hours. Without thinking twice, they uploaded a copy of the file, containing more than 5,000 sensitive records, to their personal WeTransfer account to access it from home. 

The file transfer link remained active for several days without encryption or access restrictions. Eventually, the link was discovered by an external third-party scanning for exposed URLs. The client list, which contained highly confidential personal data, was downloaded and shared publicly. 

The firm was caught off guard: there were no policies or technical measures in place to block or monitor the use of unapproved cloud file-sharing platforms. As a result, sensitive data left the company perimeter unnoticed until it was too late. The incident forced the firm to notify every impacted client and report the breach to the Belgian Data Protection Authority, severely damaging its reputation 

INCIDENT OVERVIEW 

Data Loss Prevention (DLP) is often perceived as an advanced control, but it addresses everyday risks. Employees often seek convenient ways to remain productive, such as emailing documents to personal accounts or using free file-sharing services like WeTransfer. Without monitoring and restrictions, these seemingly harmless actions become dangerous vectors of data exfiltration. 

In this case, the lack of DLP and cloud access controls meant that an entire client database could be exported and exposed through a simple upload. What seemed like a harmless shortcut turned into a GDPR breach with regulatory, financial, and reputational consequences. 

BUSINESS IMPACT 

  • GDPR violation and regulatory fines 

  • Loss of client trust and legal liability 

  • Reputational damage within the sector 

SECURITY MEASURES 

  • Deploy DLP solutions to monitor and block sensitive data transfers 

  • Restrict use of removable media 

  • Encrypt USB devices where allowed 

  • Provide secure remote working alternatives 

RESOURCES 

Ready to strengthen your cybersecurity?

Contact us today to discuss how Cresco's services can help your organisation can protect and secure your organisation.