Data Exfiltration: What It Is and How to Prevent It

Data exfiltration is one of the biggest — and potentially costliest — cybersecurity threats facing any organization. This unauthorized transmission of data out of an organization can happen any number of ways but is most often carried out by cybercriminals.

What Is Data Exfiltration?

Data exfiltration is the unauthorized transfer of data out of an organization via unauthorized access to one of its endpoints or other access point, usually by a cybercriminal who has used ransomware or some other malware to illegally access the data. Data exfiltration is one of the biggest and costliest cybersecurity risks organizations face and can result from an attack by outsiders or the actions of malicious or careless insiders.

Data exfiltration — also referred to as data theft, data leakage, or data extrusion — is unlike a traditional ransomware attack in which data may only be encrypted. Both can have sweeping and significant impacts on an organization, its suppliers, and its customers. Data loss can lead to operational issues, financial losses, and reputational damage.

Cybercriminals who carry out data exfiltration are targeting data of high value. The types of data most often stolen in data exfiltration exploits include:

• Corporate and financial information
• Intellectual property and trade secrets
• Customer databases
• Usernames, passwords, and credentials
• Personally identifiable information such as Social Security numbers
• Personal financial information
• Cryptographic keys
• Software or proprietary algorithms

With the right policies and tools such as Mimecast’s data loss prevention (DLP) services, organizations can boost their protection against data exfiltration without impeding operations or productivity.

How Does Data Exfiltration Work?

Data exfiltration can happen as a result of an attack by outsiders or the efforts of malicious insiders. Bad actors can exfiltrate data in a number of ways: digital transfer, the theft of physical devices or documents, or an automated process as part of a persistent cyberattack. And, as the ITRC report reveals, these cyberattacks are growing more complex, sophisticated — and successful.

Some of the more common techniques used for data exfiltration include:

• Phishing and social engineering: Malicious actors can trick victims by email, text, phone, or other method into providing them entry into a device or network. They may get the user to download malware, for example, or provide log-in credentials.
• Malware: Once injected onto a device, malware can spread across an organization’s network where it can infiltrate other systems and search for sensitive corporate data to exfiltrate. In some cases, malware can lurk in the network, gradually stealing data over time.
• Email: Cybercriminals can steal data sitting in email systems, such as calendars, databases, documents, and images. They can exfiltrate the data as email, text, or file attachments.
• Downloads/uploads: Under the category of accidental exfiltration, someone may access data from an insecure device like a smartphone or external hard drive, where it is no longer protected by corporate cybersecurity policies and solutions. In the malicious insider category, employees or contractors may download information from a secure device and then upload it to an external device like a laptop, smartphone, tablet, or thumb drive.
• Poor cloud hygiene: When authorized users access cloud services in an insecure way, they may leave a door open for bad actors to deploy and install malicious code, make changes to virtual machines, or submit nefarious requests to cloud services. 

There are a few ways that cybercriminals can profit from data exfiltration. Bad actors may steal data outright to gain access to personal or financial accounts and insider business information, or they may sell that data on the black market. Alternatively, they may use data exfiltration to supercharge their ransomware efforts. Typically, in a ransomware attack, cybercriminals will encrypt data or otherwise make it inaccessible until the victim organization pays them to restore data access. In addition, ransomware gangs may combine encryption with data theft. They are fortifying their efforts with so-called double extortion, threatening to leak or sell an organization’s data if a payment is not made.

Types of Exfiltrated Data

In today’s digital landscape, data exfiltration poses threats to source code, valuable IP, and customer information. For security professionals, understanding the various methods by which sensitive information can be illicitly transferred out of a network is crucial to building robust defense mechanisms. 

From human error and non-secure cloud app behavior to deceptive strategies like phishing and social engineering, the avenues for data exfiltration are numerous and varied. Even seemingly benign activities, such as sending a simple email, can serve as unwitting conduits for data leaks. Our goal is to arm you with the knowledge to identify and mitigate these threats effectively.

Social engineering and phishing attacks

Social engineering is a method of data exfiltration that exploits individuals to get them to reveal sensitive information. Malicious actors pose as trustworthy security professionals and employ techniques based on human psychology to breach security defenses. These actors may pose as a trusted coworker or an executive who will utilize a sense of urgency or fear to pressure employees into giving out sensitive information. Establishing clear communication expectations and training teams to identify social engineering scams is essential to keeping data safe.

Phishing is a form of social engineering where malicious attackers deceive individuals to release sensitive information through email or text. Phishing emails often try to emulate company branding and messaging in hopes to connect with employees through familiarity. The best way to combat phishing is to get ahead of the game by educating employees on email security and authenticity. Conducting regular phishing tests can familiarize teams with the tactics that bad actors might use.

Outbound emails

When 319 billion emails are sent each day, it’s no surprise that some of them might be involved in data exfiltration. Many employees end up using their personal email or personal file hosting services to send or store confidential work documents. This movement can be out of convenience or it might stem from more nefarious motivations, but even emailing a work document to and from a personal Gmail, for instance, can have destructive consequences — whether employees know it or not. Forrester discovered that 64% of security professionals have challenges identifying data movement between personal and corporate domains like Gmail with their current DLP or CASB solutions. Once a domain is whitelisted, it’s nearly impossible to blacklist every possible iteration of that domain.

Human error and non-secure cloud app behavior

While cloud technology and tools have enabled new ways of working, they’ve also intensified the scale and impact of data exfiltration. To that end, 71% of cybersecurity professionals surveyed in the 2022 report mentioned earlier are worried about sensitive data saved on local machines/personal hard drives and/or personal cloud storage and services.

Some of the most common behaviors that center around cloud apps in particular include: 

• Using untrusted personal devices to log into corporate cloud apps
• Making private cloud links publicly available
• Downloading corporate data via cloud app to a home device
• Using unsanctioned clouds (usually personal clouds) to share data with 3rd parties and colleagues

Every time an authorized user performs one of these actions, they put your data at risk.

A significant amount of data exfiltration is also caused by human error. Employees inadvertently expose data when they do things like accidentally connect an iPhone to a corporate device or share a private link to a public Slack channel. Although employees may not do these things on purpose, the resulting data exposure can be impactful. Thankfully, situational and timely security training can help prevent these occurrences.

Uploads to external devices and browsers

Another example would be when employees upload company data to websites or clouds that aren’t IT-approved. This is called shadow IT and it can be dangerous. With no way to turn-off employee access upon departure, and an inability to monitor what happens when data reaches that browser destination and beyond, seeing untrusted browser uploads as they happen is critical. This type of threat can be malicious in nature, for example: data theft. A user might upload source code or intellectual property to their external device for personal gain later on. 

Downloads to untrusted devices

There could be many reasons why an employee would want to download company data and put it on their phone, tablet, or personal laptop. An employee may download a list of prospects to meet with at a conference, or they may download a report from Salesforce because they are taking that sales list to a competitor. But no matter the intent, downloading data to untrusted devices moves it to untrusted locations that are outside of your domain, causing a breach.

Lessons from Data Exfiltration Attacks

Successful data exfiltration attacks can have disastrous consequences, leading to loss of valuable intellectual property and other sensitive information, costly incident response efforts, information misuse or abuse, loss of customer trust, brand or reputational damage, legal or regulatory issues, and big ransom payouts.

The following recent data exfiltration attacks illustrate the dangers of failing to mitigate these risks and their wide-ranging impact:

• Credit card data: A fuel and convenience store chain revealed in December 2019 that it had been victim to a nine-month data breach during which attackers installed card-stealing malware on in-store payment processing systems and fuel dispensers. By January, the stolen card data for more than 30 million of its customers was being sold online¹.
• Intellectual property: A malicious insider at a U.S. multinational conglomerate downloaded 8,000 proprietary files — including valuable trade secrets — over eight years in order to launch a company to compete with it. The former employee was sentenced to two years in jail in 2021 and ordered to pay $1.4 million in restitution².
• Currency exchange sata: A foreign currency exchange paid $2.3 million to a ransomware gang to regain access to data lost in an attack on New Year’s Eve 2020. The cybercriminals had gained access to the company’s network and exfiltrated five gigabytes of data³.
• Healthcare information: A ransomware gang stole three terabytes of sensitive data from a Seattle, Washington-based community health center operator in 2021. The personal data of 650,000 individuals was later posted for sale to the highest bidder on the dark web. A class-action lawsuit resulted⁴.
• Mobile data: The same year an attack on a mobile network operator successfully exfiltrated the personal data of 50 million of the company’s customers. A class-action lawsuit resulted⁵.

Data exfiltration can happen via email or various Internet channels like spoofed sites for phishing, file-sharing sites, and social media uploads. Adding to the challenge is the rise of blended threats, whereby cyberattacks come at organizations through multiple channels simultaneously. 

The cybercrime groups behind the most successful data exfiltration attacks are continually tweaking their tactics to access higher-value data. They’re getting smarter.

How to Detect Data Exfiltration

Detecting data exfiltration early is crucial to minimizing damage. Organizations can implement various strategies and tools to identify suspicious activities that might indicate data exfiltration:

• Data Transfers: Large amounts of data being sent to external IP addresses could indicate exfiltration.
• Anomalous user behavior detection: Tools that use machine learning to analyze user behavior can identify deviations from typical patterns, such as accessing or downloading large volumes of data outside of normal work hours.
• Endpoint detection and response (EDR): EDR tools provide real-time monitoring of endpoints to detect and respond to threats that might lead to data exfiltration.
• Data loss prevention (DLP) systems: DLP solutions can monitor and control data flows across the network, alerting or blocking attempts to send sensitive information outside the organization.
• Email monitoring: Since email is a common vector for exfiltration, monitoring for unusual email activity, such as bulk sending of sensitive data, can help detect potential exfiltration attempts.
• Audit logs: Regularly reviewing audit logs from various systems can reveal unauthorized access or data transfers that might have gone unnoticed.
• Intrusion detection systems (IDS): IDS can alert security teams to potential breaches that could lead to data exfiltration, providing early warning signs of malicious activity.

How to prevent Data Exfiltration

Many businesses use Data Loss Prevention (DLP) software to protect their data against exfiltration, but this methodology can fall short. To implement a DLP, companies must set rules that help the system identify sensitive data, block file activity, and send alerts. But that means that your DLP solution is only as good as the rules you set. Sometimes rules can be too sensitive, triggering false alerts that take time and attention away from real threats—and force your security team to needlessly interrupt the workflow of other teams.

Other times rules can be too specific, missing potential threats entirely. To comprehensively combat data exfiltration, you need to: 

• Multi-factor authentication: MFA requires users to verify their information in multiple ways. In addition to a login and password, the user is sent a code, or uses an app, to verify their identity. This second layer of authentication increases security. 
• Offer visibility and context: Organizations need comprehensive visibility into their data exposure and which activities require security intervention. That means closely monitoring computers, cloud applications, and email providers to fully evaluate potential riskrisks.
• Prioritize greatest risks: Companies are constantly bombarded by risks of data exfiltration, but not all of those risks are created equal. The right tools can help security teams identify the events and users that pose the greatest danger and prioritize their responses accordingly.
• Generate an aligned response: Your security analysts need to use their limited time and resources wisely. Ideally, they’ll have access to software that allows them to orchestrate a combination of human and technical responses that are aligned with the severity of the event and situational context.
• Optimize a positive user experience: The best data protection software gives companies a holistic picture of data exposure at their organization by measuring and improving risk posture – without infringing on the employee experience.
• Provide security awareness training: One of your best protections against data exfiltration is your employees. So teach them what steps they can take to keep your company’s data and your customers’ data safe. Leading data protection platforms have built-in features to facilitate employee training, encourage proper use of their tools, and share information securely.
• Use the right DLP tools: When selecting a DLP tool, it is imperative that your DLP technology can keep up with your DLP strategies. DLP technologies are often challenged by complexity and ineffective implementations that fall short when it comes to classifying data and responding to data movement. Make sure your DLP tool is up to the job by seeing if it meets the seven requirements you should consider when evaluating technologies for modern day security.

Data Exfiltration FAQs

What is the difference between a data breach and data exfiltration?

A data breach is a broader term that refers to any incident where unauthorized access to data occurs, potentially leading to data being viewed, stolen, or corrupted. Data exfiltration is a specific type of data breach where data is illicitly transferred out of the organization, usually with the intent of using it for malicious purposes, such as fraud, espionage, or blackmail. In essence, all data exfiltration incidents are data breaches, but not all data breaches involve data exfiltration.

What ports are used for data exfiltration?

Data exfiltration can occur over various network ports, depending on the method employed by the attacker. Commonly exploited ports include:

• Port 80 (HTTP) and Port 443 (HTTPS): These ports are commonly used for web traffic, making them ideal for covert exfiltration via web applications or compromised websites.
• Port 21 (FTP): FTP is used for file transfers and can be exploited by attackers to exfiltrate large volumes of data.
• Port 25 (SMTP): This port, used for sending emails, can be manipulated to send out sensitive data as email attachments.
• Port 53 (DNS): DNS tunneling is a technique where attackers encode data in DNS queries and responses, using Port 53 to exfiltrate information.

What is data exfiltration protection?

Data exfiltration protection involves a combination of policies, practices, and tools designed to prevent unauthorized data transfer out of an organization. This includes:

• Data encryption: Ensuring that data is encrypted at rest, in transit, and in use to prevent unauthorized access even if exfiltrated.
• Access controls: Limiting access to sensitive data based on roles and responsibilities, and employing multi-factor authentication (MFA) to secure access points.
• DLP solutions: Implementing DLP systems that monitor, detect, and prevent unauthorized data movement within and outside the organization.
• Security awareness training: Educating employees on the risks of data exfiltration and teaching them how to recognize phishing attempts and other social engineering tactics.
• Network segmentation: Dividing the network into segments to limit the movement of attackers if they gain access, making it harder for them to exfiltrate data.

What are the effects of data exfiltration?

The impact of a successful data exfiltration act can be severe and far-reaching, including:

• Financial losses: Direct costs related to incident response, legal fees, and regulatory fines, as well as indirect costs like lost revenue and decreased stock value.
• Reputational damage: Loss of trust among customers, partners, and the public can have long-lasting effects on an organization’s brand and market position.
• Legal and regulatory consequences: Non-compliance with data protection regulations can result in hefty fines and legal action from affected parties.
• Operational disruption: The theft of sensitive data can disrupt business operations, especially if critical intellectual property or proprietary software is compromised.
• Intellectual property loss: The exfiltration of trade secrets or proprietary information can erode a company’s competitive advantage, leading to loss of market share and innovation setbacks.

The Bottom Line

Workforce volatility has drastically changed the way companies and employees work, and the threat landscape has changed along with it. With insider threats and data exfiltration on the rise, your company’s IP is at risk.

Whether the result of an employee mistake or a deliberate attack, data exfiltration can have devastating impacts on an organization including financial losses, legal action, reputational damage, and customer impact. Preventing data extraction and mitigating the impact of data exfiltration attacks with a comprehensive cybersecurity plan should be a strategic priority. See how Mimecast’s DLP services can help protect your organization’s data.

1 “Wawa Breach May Have Compromised More Than 30 Million Payment Cards,” Krebs on Security

2 “Former GE Engineer Sentenced to 24 Months for Conspiring to Steal Trade Secrets,” U.S. Department of Justice

3 “Travelex Paid the Ransom, Breach Investigation Still Underway,” CIO Dive

4 “Lawsuit Filed in Health Center Data Exfiltration Breach,” GovInfo Security

5 “Class-Action Complaints Stream in Over T-Mobile Data Breach,” Law Street