What Is Data Exfiltration? A Guide

Businesses run on data. From trade secrets and financial records to employee emails and consumer data, digital information must be kept safe in modern workplaces. Unfortunately, threats to that data — ransomware, malware, data theft, supply chain attacks — are abundant.

We often write about specific types of data security incidents or cyberattacks. But today, we want to take a closer look at an issue that underpins many of these incidents: data exfiltration.

Involving both unauthorized access and data theft, data exfiltration is a critical concern for businesses aiming to safeguard their sensitive information. It’s often the result of data breaches, but unlike other cyberthreats, it’s particularly insidious because it can go undetected for months.

Read on to learn more about what data exfiltration is, how it overlaps with breaches and leaks, what its common vectors and consequences are, and how it can be mitigated.

What is data exfiltration?

Data exfiltration is the unauthorized transfer of data from a secure environment. Most data exfiltration involves sensitive or otherwise valuable information, posing a serious threat to an organization’s data confidentiality. It can be an accidental event, as in the case of an employee who accidentally sends data to the wrong recipient — but it’s most often a planned and malicious activity.

The motivation behind data exfiltration attacks can vary significantly. As the following examples demonstrate, malicious actors may include disgruntled employees looking for revenge, third parties hoping to profit off the sale of sensitive data, and competitors seeking to leverage trade secrets.

In 2019, malware harvested the credit card information of over 30 million customers from the payment processing servers of the Wawa convenience store chain. The exfiltration attack went on for months before it was finally discovered.
In 2018, hackers installed malware on the British Airways website and exfiltrated the personal data of about 500,000 customers in order to steal credit card details and other information.
In 2016, a contractor for Anthem Health Insurance forwarded data including Social Security numbers from 18,500 member healthcare records to his own personal email, allegedly for the purposes of identity theft.
Starting in 2011, an employee of General Electric began exfiltrating over 8,000 files of commercially sensitive information in order to set up a rival company using insider secrets. He obtained the files over the course of eight years after persuading one of the company’s IT administrators to grant him privileged systems access.

Data breaches, leaks, and exfiltration: understanding the difference

Because data can be exposed in many different ways and with many different motives, it can be difficult to keep track of terms. There’s some overlap among the categories of data breaches, data leaks, and data exfiltration, but they tend to have different connotations.

Data breaches are any unauthorized access to sensitive information by cybercriminals. This access may occur through credential theft, unsecured storage buckets, or other security vulnerabilities. A data breach can happen without data leaks or exfiltration, but breaches are often the first step in leaks and exfiltration.

Data leaks are incidents where sensitive data is exposed to the public. The data exposure may happen inadvertently (i.e., through employee negligence), or it may happen maliciously (i.e., through a concerted hacking effort). Data leakage may be the result of a data breach and/or data exfiltration.

Data exfiltration, also known as data extrusion or data exportation, is specifically the removal of data by an unauthorized party or in an unauthorized manner. That data may then be publicly exposed in a data leak, or it may be used for another purpose (e.g., intellectual property theft).

Key consequences of data exfiltration

The consequences of data exfiltration are significant but under-researched. As IBM notes, there is plenty of information about the costs of data breaches, but very little data on the direct costs of data exfiltration: “[M]any data breach cost calculations do not include costs related specifically to exfiltration, such as the often substantial cost of ransom payments to prevent the sale or release of exfiltrated data, or the cost of subsequent attacks enabled by exfiltrated data.”

But even if we can’t put an exact dollar amount on data exfiltration incidents, there are several key consequences that companies are likely to see.

Loss of business continuity. A data exfiltration incident can disrupt normal business operations with the need to remediate data loss, investigate a breach, and restore systems. This can lead to downtime, financial losses, and potential long-term damage to the organization’s ability to function effectively.

Loss of intellectual property. Intellectual property (IP) often represents a company’s competitive advantage, particularly in sectors like biotech and manufacturing. When IP falls into the wrong hands, it not only weakens a company’s market position but also undermines its ability to stay ahead of competitors. Because proprietary data is highly valuable and can easily be purchased on the dark web, the impact of data exfiltration can extend well beyond immediate financial losses and affect an organization’s longevity.

Failing to meet regulatory compliance. Many industries and jurisdictions now have strict regulations governing data privacy, and at least 80% of the world’s nations have passed or drafted data protection laws. Under these regulations, a data exfiltration incident can result in major legal penalties, fines, and other regulatory actions.

Reputational damage. News of data exfiltration can spread rapidly, damaging a company’s public perception — particularly when sensitive personally identifiable information (PII) is at stake. Customers, clients, and partners may all lose confidence in an organization’s ability to protect important data, leading to long-term damage to the brand. One Ponemon Institute global survey of data breaches even set the average cost of reputational damage at over $1.5 million per incident.

Double extortion ransomware attacks. The growth in double extortion tactics has raised the stakes for data exfiltration, making it a more complex and damaging threat for organizations to combat. It’s bad enough when a threat actor is able to access and encrypt sensitive data in a ransomware attack, but if that same cybercriminal also manages to exfiltrate the data, they will have much more leverage for demanding a ransom payment.

Common data exfiltration techniques and vectors

Data exfiltration happens in two main ways: outsider attacks and insider threats. Perpetrators may remove sensitive data directly, or they may remove user credentials in order to gain more comprehensive access to corporate networks.

Outsider attacks. Like many other cyberthreats, data exfiltration attacks may be carried out via social engineering, phishing attacks, and malware. Threat actors may forward emails or download material to devices in order to remove their targeted data. Unfortunately, cybercriminals have become increasingly sophisticated at exploiting vulnerabilities and avoiding detection. They may anonymize connections to servers, use DNS tunneling, or implement fileless attacks and remote code execution in order to bypass cybersecurity tools.

Insider attacks. Although some data exfiltration happens as the result of disgruntled employees or malicious insiders, many insider data exfiltration events begin accidentally. For instance, an employee may transfer sensitive company data onto an insecure device like an external drive, laptop, or smartphone that doesn’t have corporate authentication tools installed — or they may access cloud storage locations in a non-secure way. From these common human errors, it’s easy for savvy attackers to gain access to their desired data.

How to mitigate data exfiltration

Detecting, preventing, and mitigating data exfiltration can be a major burden for security teams. Traditionally, the approach has been to focus on endpoint security tools to make sure that sensitive data cannot leave the enterprise environment. These tools may include firewalls, email scanning programs to detect phishing attempts, anti-malware software, and endpoint encryption technologies.

Additionally, security teams employ tactics like role-based access controls (RBAC) and the principle of least privilege to prevent the kind of unauthorized access that could lead to exfiltration. Many will also turn to real-time detection tools, zero trust architecture, or data loss prevention/DLP tools (although we make the case for a proactive data loss protection approach instead).

However, as remote work and BYOD (bring your own device) has proliferated, it’s become more and more difficult to secure every endpoint and prevent every case of unauthorized access. Network environments are only getting more complex, and data exfiltration prevention is increasingly a moving target.

An alternative approach is to desensitize data wherever it is stored. ShardSecure’s platform for advanced data security, privacy, and resilience does precisely this, rendering sensitive data unintelligible and of no value to attackers. Whether your critical data is stored on-premises or with public cloud providers, the result is that unauthorized access and data exfiltration become much less serious events.

ShardSecure can also help companies maintain their business continuity in the event of a ransomware attack or other event that impacts data integrity or availability. Our self-healing, automatic data migration, and automatic alert features help enable faster detection, investigation, and remediation.

To learn more about how ShardSecure can help mitigate data exfiltration, visit our resources page.