Infrastructure Case Study

Engineering Division at a Global Infrastructure ConsortiumCatching Data Exfiltration That USB Controls Miss

When an IT security team at a global infrastructure consortium discovered that a project manager had been uploading construction blueprints to a personal cloud storage account — despite having USB write controls in place — they realized they needed to see what was on screen, not just what was plugged in. PrivateDLP's AI screen auditing gave them the screenshot that proved it.

4 Countries
Spain, Italy, Belgium, Panama
~200
Engineering Workstations
Data Exfiltration
AI Detected Cloud Upload Incident

Executive Summary

A global infrastructure consortium — spanning four countries and employing thousands of engineers and project managers across construction sites in Spain, Italy, Belgium, and Panama — had deployed USB write controls to prevent data exfiltration of sensitive project documents: CAD drawings, geological surveys, contract bids, and project schedules. But when the IT security team received a tip that a project manager was regularly uploading construction blueprints to a personal cloud storage account, they found themselves in a blind spot: the USB blocklist showed nothing was being copied to USB drives. The exfiltration was happening through a browser — and their existing tools couldn't see it.

The consortium's engineering IT security team self-funded a PrivateDLP deployment covering ~200 engineering workstations in the design and project management division. The key capability: AI screen auditing that could detect when sensitive project data was being exfiltrated through any channel — browser uploads, external drives, or printing — and capture screenshot evidence at the moment of violation.

AI detects when sensitive project files are being uploaded to personal cloud storage — even when USB controls show no violation
Screenshot evidence at the moment of exfiltration — proving what file was on screen and where it was being sent
Unified security standards across all four country operations — eliminating inconsistent policies between partner companies
Cross-border audit trail satisfying government oversight requirements for strategic infrastructure projects

Client Profile

The client is the IT security team of the engineering division at a multinational engineering consortium — a joint venture of construction and engineering firms from Spain, Italy, Belgium, and Panama, formed to execute a multi-billion dollar strategic infrastructure project of national importance. The engineering division operates ~200 Windows workstations across construction site offices, engineering design centers, and project headquarters in all four countries. Engineers and project managers handle highly sensitive documents including CAD construction drawings, geological survey data, contract bid documents, and detailed project schedules — all of which represent significant competitive and security value if leaked.

Consortium Structure

4 partner firms from Spain, Italy, Belgium, and Panama managing a strategic infrastructure project

Deployment Scope

~200 Windows workstations in the engineering division — self-funded by IT security team

User Base

Engineers, CAD designers, project managers, and administrative staff with access to sensitive project documents

Data at Risk

CAD blueprints, geological surveys, contract bids, and project schedules — strategic assets if leaked to competitors

The Challenges

A global infrastructure consortium realizing their USB blocklist has a critical blind spot — data exfiltration through the browser

USB Controls Can't Catch Cloud Uploads — And That's How Data Was Actually Leaking

The consortium had USB write controls deployed. But when a project manager was reported to be regularly uploading construction blueprints to a personal Google Drive account, the USB blocklist showed nothing. The data wasn't leaving via USB — it was going through the browser. Their existing tools had a blind spot: they could only see device events, not what's being done in the browser window. They needed to see when sensitive project files were being uploaded from inside a browser session.

Four Countries, Four Security Cultures — Inconsistent Policies Were the Weakest Link

Each partner firm had its own IT security policies. One country's engineers had strict USB controls but open internet access; another's had web filtering but no device controls. This inconsistency meant a determined employee could route data through whichever channel wasn't monitored in their location. The consortium needed unified visibility across all four countries — not just unified policies.

Construction Sites Have Unique USB Risks — Phone Charging Is a Real Problem

Remote construction sites are challenging IT environments: workers need to charge phones, contractors use personal USB drives for field equipment, and site offices have shared workstations where anyone might plug in a device. Simply blocking all USB wasn't workable — but allowing it opened a clear exfiltration vector. The consortium needed USB controls that could distinguish between phone charging and data copying, and alert on the latter.

Government Oversight Requires Demonstrating What Happened — And When

As a strategic infrastructure project subject to national government oversight, the consortium must be able to demonstrate appropriate data handling to regulators. When the exfiltration incident occurred, they needed to show: who accessed which project document, when, and what they did with it. Their previous tools could show USB device connections — but not file access events or browser uploads of project data.

The Solution: PrivateDLP

The consortium's IT security team evaluated PrivateDLP because it could answer the question their USB blocklist couldn't: not just "was a USB device used?" but "was a project blueprint being uploaded to a personal account right now?"

AI Screen Auditing — Seeing What USB Controls Can't

Instead of relying solely on device events, the IT team wrote natural language rules describing the exfiltration behavior they cared about: "alert when a CAD file is being uploaded to a personal cloud storage account" or "alert when a project blueprint is being printed to PDF." The AI analyzes what's on the screen — not just what device is plugged in — catching the cloud upload vector their USB controls were blind to.

Screenshot Evidence — Proving What Was Uploaded, To Where

When the AI detects that a sensitive project file is being exfiltrated, it captures the screen at that moment — showing the browser window with the file being uploaded to a personal account. This screenshot evidence is what the IT team lacked before, and what makes investigations and compliance reporting conclusive.

Deployment Details: ~200 Pro licenses deployed across engineering workstations in the design and project management division. The IT security team self-funded the deployment. PrivateDLP was layered on top of existing USB controls — adding the investigation and audit capability those controls couldn't provide on their own.

What the Consortium Deployed

AI screen auditing layered on top of existing USB controls — giving the IT security team the visibility they needed across all four countries

Natural Language Rules — 'Alert When a CAD File Is Being Uploaded to a Personal Cloud Account'

The IT team wrote rules in plain English describing the exfiltration behaviors they needed to detect — behaviors that USB controls alone couldn't catch. The AI understands these rules by analyzing what's on the screen, not just device events.

  • Rule example: 'alert when a file with .dwg or .pdf extension containing project blueprints is being uploaded to a personal cloud storage account' — the AI recognizes file content, not just file names
  • Rule example: 'alert when the browser shows a Google Drive, Dropbox, or OneDrive upload in progress with a project file on screen'
  • Rule example: 'alert when a project document is being printed to PDF and the destination is not a consortium-approved printer'
  • No complex configuration or regex — just describe the suspicious behavior in plain language

Screenshot Evidence — The Proof That Made the Case

When the AI detects that a sensitive project file is being exfiltrated, it captures a screenshot at that moment. On a shared workstation, this is the difference between suspicion and proof.

  • Screenshot captured at the exact moment of exfiltration — showing the browser window, the file being uploaded, and the destination URL
  • Evidence includes timestamp and user context — essential for disciplinary proceedings and regulatory reporting
  • Screenshots stored to the consortium's own storage or PrivateDLP's secure storage (Pro feature)
  • This is what the IT team lacked when investigating the cloud upload incident — and what made the case conclusive

USB Controls Tuned for Construction Site Realities — Not a Blanket Ban

The consortium needed USB write controls that could block unauthorized data copying without disrupting legitimate site operations like phone charging. PrivateDLP's USB controls allow read-only access for phone charging while blocking write operations — and the AI layer provides the visibility to distinguish between the two.

  • USB write blocked on all project workstations — preventing unauthorized copying of CAD files and project documents
  • USB charging (read-only) permitted — allowing workers to charge phones without introducing malware or data exfiltration risk
  • Only consortium-approved encrypted USB devices allowed write access — personal devices are blocked from writing
  • AI monitoring layer on top of USB controls — catching exfiltration that USB controls alone cannot detect

Cross-Border Audit Trail — Government Oversight Ready

With government oversight of the strategic infrastructure project, the consortium must demonstrate appropriate data handling. PrivateDLP's audit trail provides comprehensive logs across all country operations — not just USB events, but actual screen activity involving sensitive project data.

  • AI-generated audit logs for all screen activity involving sensitive project documents — CAD files, geological surveys, contract documents
  • Logs include: which workstation, which user account was logged in, what was on screen, what action triggered the alert
  • Exportable reports for demonstrating appropriate data handling to government regulators
  • Web console provides unified access to audit logs and alert history across all four countries

Business Results & Impact

From a critical blind spot in their security posture to a complete picture — what the consortium gained after deploying PrivateDLP

Metric / ObjectiveBefore DeploymentAfter Deployment
Cloud Upload Detection
USB controls showed no violation — the project manager was exfiltrating data via browser, not USB, and the USB blocklist was blind to itAI screen auditing detected the cloud upload and captured screenshot evidence at the moment of exfiltration — proving what was uploaded, to where, and when
Cross-Country Visibility
Each country had different security policies — no unified view of what was happening on workstations across the four operationsCentralized web console provides unified visibility across all four countries — one dashboard for all engineering workstation activity
USB Policy That Works on Site
Blanket USB block would disrupt legitimate phone charging; open USB allowed data exfiltrationUSB write blocked for personal devices; charging permitted; AI monitoring layer catches anything USB controls miss
Government Compliance Reporting
Could only provide USB device connection logs — not evidence of actual file access or browser uploadsAI-generated audit logs provide screen-level evidence for government regulators — who accessed which project document, when
Cloud Upload Detection
Blind Spot Closed
Cross-Country Visibility
Unified Visibility
USB Policy That Works on Site
Site-Ready Controls
Government Compliance Reporting
Audit Trail Ready

"When we received the tip about the project manager uploading blueprints to a personal Google Drive account, our USB blocklist showed nothing. We knew data was leaving — but we couldn't prove it. What we needed was someone who could see what was on the screen. PrivateDLP gives us that. Now we have the screenshot — the browser window, the file, the destination URL, the timestamp. That's the evidence we needed."

— Head of Engineering IT Security, Global Infrastructure Consortium

Large engineering and construction projects face a common security paradox: the same connectivity that makes modern engineering possible — internet access, cloud storage, mobile devices — also creates data exfiltration channels that USB controls can't see. A project manager uploading blueprints to a personal Google Drive account isn't violating a USB policy. They're violating a data policy — and detecting that requires seeing what's on the screen.

PrivateDLP's AI screen auditing closes this blind spot. ~200 engineering workstations covered in the engineering division across four countries — giving the consortium's engineering IT security team the visibility they needed to detect data exfiltration through any channel, and the screenshot evidence to prove it.