Protecting your data is an important component of your cyber risk management plan and involves a certain level of preparedness for an event like a data breach. However, even the best cybersecurity efforts will still fail at some point — when attackers abscond with your organization’s confidential data, either to resell it on the dark web or post it for all the world to see.

That is data exfiltration, and trying to prevent it is a cybersecurity program’s paramount duty. Attackers getting into your network (infiltration) and rifling through your data is bad enough, but even more critical is thwarting their ability to take the data out.

What Is Data Exfiltration?

When data is stolen (as opposed to leaked by an insider), that is data exfiltration. While data leaks are the accidental exposure of sensitive information to unapproved parties, data exfiltration is the deliberate act of moving sensitive data from inside an organization’s security perimeter to the outside without permission.

Also known as data theft, data expiration, data extrusion, and data exfil, data exfiltration typically happens through hacking, malware, or social engineering attacks. It can involve the theft of many types of information, including:

  • Usernames, passwords, and other login credentials.
  • Confidential enterprise data, including intellectual property or internal strategy documents.
  • Personal data about customers, employees, or clients.
  • Decryption keys for encrypted information.
  • Financial data such as credit card numbers and bank account details.
  • Software or proprietary algorithms.

It’s difficult to say how often data exfiltration is booming, but we know that the methods used to carry out data exfiltration are rising. Phishing is becoming a ubiquitous method to steal an organization’s data.

Phishing was the leading cause of complaints to the FBI in 2020; the agency also says that phishing incidents more than doubled from the previous year. Recorded personal data breaches increased from around 38,000 to more than 45,000.

Generally, companies with more than 1,000 employees are more likely to experience data exfiltration, but attacks against smaller companies, while less frequent, are much more successful.

A data exfiltration attack is a security breach when your company’s data is copied, transferred, or retrieved from a computer or server without authorization. Such attacks are difficult to detect, as they involve transferring or moving data within and outside your company’s network and usually mimic typical network traffic.

This close resemblance often means that incidents go unnoticed until after the data exfiltration succeeds, which can result in substantial data losses. The best way to prevent data exfiltration is to understand the most common techniques to better prepare your organization against them.

Data exfiltration vs. data leakage vs. data breach

Data security incidents are often categorized into three main types – data exfiltration, data leakage, and data breaches. While related, understanding the distinctions is essential:

Data Exfiltration

The unauthorized transfer of sensitive information from an organization’s network to external parties. It is a targeted, intentional attack mounted by cyber criminals to extract and profit from stolen data through theft or extortion.

Data Leakage

The accidental exposure of private data to unauthorized parties. It may occur through misconfigured databases, errors in access controls, insecure data handling by insiders, or connected third-party suppliers who improperly store the data.

Data Breach

The broadest of the terms. A data breach refers to any incident, whether intentional attack or unintentional behavior, that results in sensitive data being accessed by or revealed to unauthorized individuals. Breaches can be enabled via hacking, malware, physical theft, insider actions, or procedural breakdowns.

While differing in exact cause, all three compromise security through unauthorized data access. Recognizing whether an incident stems from targeted exfiltration, inadvertent leakage, or breach through other means informs an organization’s appropriate response and corrective actions.

Most Common Data Exfiltration Techniques

There are countless motives and methods for data exfiltration. Still, most attempts can be grouped into two categories: data exfiltration by someone inside your organization and data exfiltration by someone outside your organization.

Data exfiltration by insiders occurs when a company member shares company data with people or organizations outside your company. In many cases, these insiders have easy access to your company data, know workarounds to access your data, or have the technical know-how to infiltrate your secure systems to steal your data.

Data exfiltration by outsiders occurs when someone has stolen company data from outside your organization. These attacks are usually carried out remotely but can encompass several techniques that we will now explore.


Email is the number one threat vector for most organizations. It’s a treasure trove of information, and it’s a resource that’s often used in data exfiltration attempts.

Insiders executing a data exfiltration attack can use email to send data to their own personal or third-party accounts. Outsiders can use email to target employees with phishing, spear phishing, or ransomware attacks. In fact, 96 percent of phishing attacks begin via email.

Phishing attacks consist of emails designed to look legitimate and appear to be from trusted senders. Phishing emails contain either a malicious attachment that infects the user’s device with malware or a link to a website that looks similar to a legitimate website but is spoofed to steal login credentials entered by the user.

Some attackers also launch targeted phishing attacks that aim to steal data from a specific user, such as senior company executives or high-worth individuals, such as celebrities or politicians. Cybercriminals can also use email to exfiltrate any data that sits on organizations’ outbound email systems, such as calendars, databases, images, and planning documents.

Remote Access

Another data exfiltration technique is to gain remote access to a server, device, or cloud storage platform via remote access.

An attacker can gain remote access to your company’s data assets using several methods, including:

  • Hacking to exploit access vulnerabilities.
  • Using a brute force attack to determine passwords.
  • Installing malware, whether via phishing or another method.
  • Using stolen credentials, whether obtained via phishing or on the dark web.

Most of the time, remote access data exfiltration incidents involve brute force techniques or compromised user credentials. Data exfiltration is most successful when systems rely on vendor-set or easy-to-crack passwords. For this reason, you must keep your company passwords solid and safe.

Advanced Persistent Threats (APTs) are a form of cyberattack in which data exfiltration is the primary goal. APTs target specific companies or organizations to access or steal their restricted data while remaining undetected.

Here are some of the protocols that attackers commonly use to transfer data during data exfiltration:

  • Hypertext Transfer Protocol (HTTP) allows users to communicate data over the internet. HTTP is standard on most networks, so it’s a perfect choice for attackers. In the high volume of HTTP traffic flowing through enterprise networks, the malicious transfer of sensitive data usually goes unnoticed, allowing the attacker to stay undetected for the duration of the attack.
  • File Transfer Protocol (FTP): a protocol used to communicate and transfer files between a client and a server over the internet and a reliable protocol for transferring large files. Using this method, an attacker must authenticate to an external FTP server from within an organization’s server to exfiltrate data. 
  • Domain Name System (DNS): a protocol that translates human-readable domain names into IP addresses. DNS tunneling is a process that transmits data using DNS queries and responses and works by creating DNS records that point queries for a specific domain name to a server under the attacker’s control. 

Physical Access

Physically stealing data from a business requires physical access to a server or device. Hence, this data exfiltration method is most commonly associated with current or former employees.

Research suggests that 15 percent of all insiders who exfiltrate data from organizations do so via portable USB drives, and 8 percent of outsiders do the same. Similarly, 11 percent of all insiders reported exfiltrating data via laptops/tablets, and 13 percent of outsiders said the same.

Sometimes, data exfiltration can be a result of accidental insider threats. Employees who download data to insecure devices inadvertently allow malicious actors to access sensitive corporate information.

Now that we’ve introduced some of the main types of data exfiltration techniques, let’s look at some ways to detect data exfiltration.

Ways to Detect Data Exfiltration

Depending on the type of attack method used, detecting data exfiltration can be a difficult task. Cyberattacks using techniques that are more difficult to detect are often mistaken for regular network traffic, which means they can go unnoticed until the damage has already been done.

The best way to prevent data exfiltration is to detect it as soon as an attack is launched. Some things you can do to detect data exfiltration and protect your organization’s data include:

  • Perform a risk assessment. This will help you identify all valuable data assets and inventory all the endpoints where this data resides. You should also estimate the business effect of potential exfiltration for each data asset you identify.
  • Create a data breach incident response policy. This is one information security control your organization can use to detect, stop, and recover from a cybersecurity incident. It should specify your methods of eliminating data security threats and who will carry out these actions. Altogether, your data breach incident response policy should cover stakeholder support, an inventory of sensitive data, and clear communication channels.
  • Train your employees. Most business leaders know the importance of their employees’ understanding of information security. Employee training can help your staff spot some less sophisticated phishing attacks and learn the protocols for reporting a data breach. Staff training is essential, but more is needed to prevent data exfiltration.
  • Consider blocking or blacklisting. Some organizations secure or blacklist certain domains or activities to prevent data exfiltration attempts. This approach involves blocking certain email providers or software associated with cyberattacks. That said, blacklisting fails to account for the dynamic nature of modern work, where employees need to work with many different stakeholders via a wide range of mediums.
  • Label and tag sensitive data. Another Data Loss Prevention (DLP) strategy is to label and tag sensitive data. DLP software will notice any tagged data moving outside your company’s network and can flag or prevent the activity. While promising, this approach relies on employees classifying data correctly to be effective. Ultimately, the manual process of tagging data isn’t scalable since employees could label data incorrectly or not label sensitive data at all.
  • Employ email Data Loss Prevention (DLP). As mentioned, email is a crucial communication method for almost every business. But it’s also a fundamental way for cybercriminals to access your company’s valuable data. Email DLP can help filter out phishing attempts or other data exfiltration methods before your employees can view or open any attachments or links.
  • Establish endpoint protection. Data exfiltration focuses on retrieving, transferring, and copying data on endpoints, and endpoints have historically provided one of the most accessible access points for hackers. Comprehensive endpoint detection solutions can be a first-line defense against threats like data exfiltration.

Ultimately, preventing data exfiltration is possible with security solutions that ensure data loss and leakage prevention.

Data Exfiltration Prevention

Preventing Data Exfiltration

Protecting sensitive data like healthcare records, financial information, Personally Identifiable Information (PII), and social security numbers from unauthorized access by external cyber threats and insider threats is a critical priority for organizations’ reputations and security teams. While detecting potential data exfiltration attacks in real-time is essential, the ideal scenario is preventing them entirely with proactive on-premises and cloud data protection security measures that stop threat actors before data can be compromised.

Secure Endpoints and Access Points

Endpoints like Microsoft workstations, servers, and mobile devices provide common access points for data exfiltration attempts and cyberattacks. Comprehensive endpoint detection and response solutions should be implemented as a first line of defense to monitor suspicious activity across all endpoints in real-time and block threats. Strict access controls, intrusion detection, and multi-factor authentication procedures should limit access to only authorized users and prevent unauthorized access.

Control Data Movement

Data Loss Prevention (DLP) software, database activity monitoring, and Cloud Access Security Brokers (CASBs) can detect when sensitive information is accessed or moved outside approved channels in real-time. Configuring these tools with appropriate controls, alerts, and restrictions can automatically flag or block risky data transmission to prevent data leakage.

Protect Networks and Communications

Firewalls, secure web gateways, email filters, and other network/communications protections offer vital controls. Next-Generation Firewalls (NGFWs) with advanced threat detection provide an added layer against data exfiltration attacks by monitoring network traffic for signs of compromised endpoints or unusual internal communications that could signal cybercriminals attempting to exfiltrate data. Limiting, monitoring, or blocking unnecessary outbound connections reduces the potential exit points for sensitive data.

Are Antivirus and Malware Solutions Enough to Prevent Exfiltration?

Antivirus and anti-malware tools have limitations in preventing sophisticated data exfiltration attacks. They focus primarily on detecting known threats. However, custom threats can evade these defenses and extract data.

Advanced attackers use zero-day exploits, stolen credentials via phishing, and malicious insiders that don’t rely on traditional malware. So, while still necessary, antivirus alone cannot prevent unauthorized data transfers.

Specialized tools are needed to control data movement, monitor activity, filter traffic, and manage access. Capabilities like data loss prevention, behavior analytics, web gateways, micro-segmentation, and zero trust prevent data theft in ways antivirus cannot.

Relying solely on malware detection creates gaps for hackers to exploit. A robust cybersecurity stack combines antivirus, network monitoring, access controls, and data loss protections to prevent exfiltration.

Protect Your Data with ZenGRC

How your organization protects itself from data exfiltration depends on the nature of your business, the information systems you use, and the federal and state laws you must comply with.

ZenGRC is a Governance, Risk management, and Compliance (GRC) platform that enables businesses to automate the self-auditing process necessary to document security controls and prepare for formal compliance audits.

Learn how ZenGRC can help ease the burden of data exfiltration detection by scheduling a demo today. That’s worry-free compliance and incident response planning — the Zen way.