Retry in progress
You have 1 previous attempt for this scenario. Submitting again will create a new attempt and show a comparison against your most recent response.
Insider Data LeakDifficulty · mediumHigh asset
DLP rule DLP-CRM-EXFIL-03 fired.
User m.silva@acme-corp.com (Senior Engineer, Platform team) ran a bulk export from the CRM at 09:48 UTC: customer-export.csv, 1.21M rows, 384 MB. Twelve minutes later the same file (matching content hash) was uploaded from a personal-laptop session on the guest Wi-Fi to a Dropbox personal account.
Context (from HR): Silva submitted resignation 2 weeks ago. Last day is 2026-04-30 (in 11 days). No prior history of bulk exports on this account in the last 12 months.
This may need legal/HR involvement. Please respond carefully.
— DLP
Evidence
DLP event + CRM audit + endpoint context
# CRM audit log (m.silva@acme-corp.com)
2026-04-19 09:31:08 LOGIN ip=10.12.40.221 (corp-laptop, MSILVA-LT04)
2026-04-19 09:48:14 EXPORT object=Account filter=AllTime rows=1,212,884
fields: name, email, phone, contract_value, support_tier, notes
2026-04-19 09:48:51 DOWNLOAD customer-export.csv size=384MB
2026-04-19 10:01:17 LOGOUT
# Network / DLP correlation
10:00:42 guest-wifi src=10.250.6.18 (BYOD, MAC f4:5c:..)
POST https://www.dropbox.com/upload body_hash=matches customer-export.csv
uploaded to: m.silva.personal@gmail.com Dropbox
# Other audit findings (last 14 days, same account)
- 5 queries against AWS prod IAM ListUsers / ListAccessKeys
- README access in repo "infra-secrets-runbook" (private)
- After-hours logins: 3 nights this week (22:30–01:00 UTC)
# HR record (sensitive)
m.silva — resignation accepted 2026-04-05, last day 2026-04-30,
no formal offboarding ticket opened yet.Affected asset
- Name
- m.silva@acme-corp.com (Senior Engineer)
- Type
- Engineering account with CRM read + AWS read role + private repo access
- Owner
- Platform Engineering
- Level
- High