Precision Components Manufacturer in MexicoCatching the Engineer Who Uploaded CAD Files to Google Drive — For "Working From Home"
When an automotive customer's competitor submitted a quote with parts that looked suspiciously similar to their proprietary designs, the manufacturing firm's IT security team had no log showing who had accessed or transferred the CAD files. What they found was an engineer uploading files to personal Google Drive from his workstation — "because the files were too large for email." PrivateDLP's screen auditing caught the next one before it became a second data breach.
Executive Summary
The client is a mid-size precision components manufacturer in Mexico — producing machined parts, automotive brackets, and aerospace fittings for customers across North America. Their engineering department works with CAD files that represent years of proprietary design work, and their factory floor runs three shifts with varying levels of supervision, particularly on the night shift.
The triggering event was a phone call from their biggest automotive customer: a competitor had submitted a quote with part designs that were suspiciously similar to their proprietary specifications. The IT security team had no logs showing who had accessed or transferred the CAD files — the group's USB blocklist blocked unauthorized devices, but the engineer had been uploading directly from his browser to personal Google Drive. He wasn't trying to steal anything. He needed to work from home for the weekend and the files were too large for email. The competitor's similar designs were a coincidence — but the IT team had no way to prove it, and no way to catch the next engineer doing the same thing.
What the firm bought was PrivateDLP's AI screen auditing — specifically the capability to detect browser-based file transfers to personal cloud storage, with screenshot evidence they could show to automotive customers during supplier audits. What they also discovered: the night shift on the production floor was averaging 35% entertainment time — YouTube, streaming video, social media — because there was no supervision and no one had ever looked.
Client Profile
The client is a mid-size precision components manufacturer in Mexico — producing machined parts, automotive brackets, and aerospace fittings for customers across North America. The engineering department works with CAD files representing years of proprietary design investment. The factory floor runs three shifts, with night shift supervision significantly lighter than day shift. The firm's customer base includes automotive manufacturers and aerospace companies, all of whom conduct regular supplier audits and have strict requirements around how their proprietary part specifications are handled and stored.
Engineering Workstations
150+ workstations across engineering, factory floor, and quality control labs
Customer Base
Automotive manufacturers and aerospace companies across North America
Security Requirements
CAD file protection, supplier audit compliance, proprietary design confidentiality
Workforce Structure
Three shifts with varying supervision levels; night shift has minimal oversight
The Challenges
Running a precision components manufacturer with 150+ engineering and factory floor workstations, serving automotive and aerospace customers with strict supplier audit requirements
USB Blocklist Can't Catch Browser-Based CAD Transfers — And That's How the Files Were Actually Leaving
The firm's USB blocklist policy blocked unauthorized removable storage on engineering workstations. None of that stopped an engineer from opening Google Drive in Chrome and uploading the automotive bracket CAD files to a personal account — 'for working from home over the weekend.' When the automotive customer called about a competitor's similar designs, the IT team had no logs showing what had happened. The engineer wasn't malicious. He genuinely didn't think uploading to his personal Google Drive was a problem. The firm's blocklist had no visibility into browser-based file transfers — and no way to produce screenshot evidence for the automotive customer's audit.
Night Shift Was Running 35% Entertainment Time — Because No One Was Watching
The production floor runs three shifts. Day shift has floor supervisors walking the line. Night shift has one supervisor for the entire floor — and the workers know it. The head of operations suspected productivity was lower at night but had no data to make the case. What PrivateDLP's AI screen auditing found: the night shift was averaging 35% entertainment time — YouTube, streaming video, social media — on workstations that were supposed to be running production programs. Not everywhere. But enough to matter.
Pirated CAM Software on Factory Floor Workstations — Introduced Via USB
One of the CNC operators had been installing a pirated version of a CAM software package from a USB drive he'd brought from home — because the licensed version took too long to load and this one was 'faster.' The IT team found it during a routine security audit. The pirated software had full network access, ran on a workstation connected to the production line, and had been there for four months. It wasn't caught earlier because the USB blocklist was partially disabled on factory floor workstations due to 'operational conflicts' with approved tooling USBs.
No Audit Trail for Automotive Customer Supplier Reviews
The firm's automotive customers conduct annual supplier audits and ask for evidence of how proprietary part specifications are protected. When the automotive customer asked for logs showing who had accessed a specific part's CAD files and when, the IT team produced system logs — which showed the engineer's workstation had been active, but not what had actually been opened, transferred, or screenshotted. The automotive customer's audit team left with unanswered questions. The firm had no way to demonstrate a clean chain of custody for their most sensitive design files.
The Solution: PrivateDLP
The firm chose PrivateDLP for two capabilities its existing stack didn't have: AI screen auditing that could catch browser-based CAD file transfers with screenshot evidence, and productivity monitoring that could show the head of operations what night shift workers were actually doing on their workstations
Browser-Based Transfer Detection
The core capability the firm needed: AI screen auditing that could detect when an engineer had a CAD file open alongside a personal cloud upload window — and preserve the screenshot as evidence. The engineering supervisor writes rules in plain English: "flag any screenshot showing a CAD file open alongside a personal cloud upload window." The IT administrator deploys the rule from the server console the same day.
Night Shift Productivity Visibility
The head of operations wanted data on what night shift workers were actually doing on their workstations. PrivateDLP's AI screen auditing captured screenshots approximately every minute and analyzed them for entertainment activity. The first report showed 35% entertainment time across the night shift — YouTube, streaming video, social media. The head of operations had something in writing for the first time.
Deployment: The Windows client was deployed across 150+ engineering workstations, factory floor terminals, and quality control computers. Screenshots are stored on the firm's own infrastructure — which was a procurement requirement for the automotive customer's supplier security review. The engineering supervisor owns the productivity rule definitions. The IT administrator handles deployment and incident review.
Implementation & Key Capabilities
PrivateDLP gave the precision components manufacturer two capabilities it didn't have before: browser-based CAD transfer detection with screenshot evidence, and productivity monitoring that department heads could operate without vendor consultants
Browser-Based CAD Transfer Detection With Screenshot Evidence
The capability the firm was buying: AI screen auditing that could catch browser-based personal cloud uploads alongside open CAD files — with timestamped screenshot evidence for automotive customer audits:
- Plain-language rule definition: An engineering supervisor writes a rule like 'flag any screenshot showing a CAD file open alongside a personal cloud upload window' — no regex, no vendor consultant
- Screenshot evidence on demand: When a rule fires, the triggering screenshot is preserved — timestamped, linked to the workstation, available for supervisor review and automotive customer audits
- Customizable alert content: The IT administrator defines what the alert says and who receives it when specific rules are triggered — engineering supervisor, IT security, or both
- AI model flexibility: Screenshots are analyzed by their own LLM — all data stays within the firm's own infrastructure
Night Shift Productivity Monitoring — In Plain English
The head of operations wanted visibility into what night shift workers were actually doing. PrivateDLP's AI screen auditing provided it — with rules the head of operations wrote herself:
- Plain-language productivity rules: The head of operations writes rules like 'flag any screenshot showing streaming video during work hours' or 'flag any screenshot showing social media during production window hours'
- Shift-specific baselines: Night shift has its own baseline — what counts as productive versus entertainment is configured per shift schedule, not one rule for all shifts
- Department-level reporting: The AI produces a weekly breakdown by department — engineering, quality control, production — showing work time versus entertainment time, per shift
- Privacy-first design: Screenshots are deleted immediately after AI analysis unless a rule is triggered — protecting worker privacy while providing the data the head of operations needs
USB Controls With Operational Flexibility
The firm needed to fix the gap where USB controls had been partially disabled on factory floor workstations due to conflicts with approved tooling USBs:
- Approved device whitelist: Only enterprise-approved encrypted USB devices used for legitimate manufacturing operations — CNC programming, quality control testing — are allowed. Personal devices are blocked.
- Tooling USB exception management: The IT team configured a whitelist of approved tooling USBs by hardware ID — the ones used for CNC machines and test equipment. Everything else is blocked.
- Application installation control: Only approved applications can run on factory floor workstations — blocking the pirated CAM software that had been installed via USB four months earlier.
- Pirated software detection: The Windows client flags when a new application is installed outside the approved list — alerting the IT team before it becomes a production security incident.
On-Premises Screenshot Storage for Supplier Audits
The automotive customer's supplier security review required evidence that proprietary part specifications were handled properly. PrivateDLP's storage options addressed the procurement requirement:
- On-premises screenshot storage: All screenshots are stored on the firm's own Windows server — not in a third-party cloud. This was a hard requirement for passing the automotive customer's supplier security review.
- Chain of custody documentation: When a rule fires, the screenshot is preserved with full metadata — timestamp, workstation ID, user account, rule triggered — creating an auditable chain of custody.
- Retention and access controls: Screenshots are retained for 90 days on-premises, with role-based access controls — only the IT administrator and designated supervisors can view incident screenshots.
- Audit-ready reporting: The IT administrator can generate a report showing all triggered rules, screenshots preserved, and actions taken — for the automotive customer's annual supplier audit.
What Changed at the Firm
Three months after deployment, the engineering supervisor is writing her own productivity rules, the IT team has screenshot evidence on demand, and the head of operations has baseline data on what night shift productivity actually looks like
| Metric / Objective | Before PrivateDLP | After PrivateDLP |
|---|---|---|
Browser-Based CAD Transfer Detection | USB blocklist showed nothing; the Google Drive uploads were discovered from the engineer's own explanation during a conversation, not from any internal alert | 1 confirmed personal cloud upload violation in the first 45 days — an engineer uploading aerospace fitting designs to personal Dropbox before a long weekend |
Night Shift Productivity Visibility | The head of operations knew night shift was less productive than day shift but had no data — only suspicion | AI productivity reports showed 35% average entertainment time across night shift — YouTube, streaming video, social media — concentrated in 4 specific workstations |
Pirated Software Detection | Pirated CAM software had been running on a factory floor workstation connected to the production network for 4 months before a routine audit found it | Application installation alerts now fire within 24 hours of any new application being installed outside the approved list — on all 150+ workstations simultaneously |
Automotive Customer Audit Readiness | System logs showed workstation activity but not what files were opened, transferred, or screenshotted — insufficient evidence for the automotive customer's supplier audit | Screenshot evidence is preserved at the moment of rule violation — timestamped, linked to the workstation and user account, available for the next automotive customer audit |
"The thing that opened the conversation with our biggest automotive customer wasn't about us having a data breach. It was about us having no way to prove we hadn't. They asked for logs showing who had accessed a specific part's CAD files and when. We could show them system logs that said the engineer's workstation had been active. We couldn't show them what he'd actually done. That was the moment our IT director understood what we were missing. The screenshot evidence is what makes this work for an automotive supplier. The next time a customer asks, we can show them."
"I wrote the first rule myself. The IT team didn't have to call a vendor or build a regex pattern. I just said 'flag any screenshot showing a CAD file open next to a personal cloud upload window' and they deployed it the same afternoon. Three months in, I've written rules for personal cloud uploads with design files visible, streaming video during production hours, and social media during the night shift window. The IT team is happy because I'm not asking them to build custom DLP policies. I'm happy because I actually have visibility into what the night shift is doing. The part that made this procurementable for a manufacturing firm: screenshots don't leave our infrastructure. Our automotive customers ask about that specifically."
The firm's deployment is scoped to 150+ engineering workstations, factory floor terminals, and quality control computers — managed from a single Windows server, with screenshot storage on the firm's own infrastructure. The engineering supervisor owns the productivity rule definitions. The IT administrator handles deployment and incident review. The arrangement is self-sustaining: when a new concern emerges, the supervisor writes the rule and the IT administrator deploys it the same day.
What the firm bought wasn't a full security overhaul. It was a tool that fit two specific gaps: screen-level visibility on engineering workstations where CAD files live, and productivity monitoring that the head of operations could actually operate without calling a vendor consultant. The deployment stayed within the firm's budget, server infrastructure, and automotive customer procurement requirements — and it gave the engineering supervisor something she'd never had before: her own rule set, deployed without waiting for IT vendor engagement.