Data Exfiltration: What It Is and How to Prevent It

Data exfiltration is one of the biggest — and potentially costliest — cybersecurity threats facing any organization. This unauthorized transmission of data out of an organization can happen any number of ways but is most often carried out by cybercriminals. In the data privacy field, for example, the vast majority (92%) of data breaches in the first quarter of 2022 resulted from cyberattacks, rather than errors such as misdirected emails, according to the Identity Theft Resource Center (ITRC).^[1] The total number of personal data compromises in 2021 reached an all-time high, according to the ITRC, with 93% of them involving sensitive information.[2]

What Is Data Exfiltration?

Data exfiltration is the unauthorized transfer of data out of an organization via unauthorized access to one of its endpoints or other access point, usually by a cybercriminal who has used ransomware or some other malware to illegally access the data. Data exfiltration is one of the biggest and costliest cybersecurity risks organizations face and can result from an attack by outsiders or the actions of malicious or careless insiders.

Data exfiltration — also referred to as data theft, data leakage, or data extrusion — is unlike a traditional ransomware attack in which data may only be encrypted. Both can have sweeping and significant impacts on an organization, its suppliers, and its customers. Data loss can lead to operational issues, financial losses, and reputational damage.

Cybercriminals who carry out data exfiltration are targeting data of high value. The types of data most often stolen in data exfiltration exploits include:

• Corporate and financial information
• Intellectual property and trade secrets
• Customer databases
• Usernames, passwords, and credentials
• Personally identifiable information such as Social Security numbers
• Personal financial information
• Cryptographic keys
• Software or proprietary algorithms

With the right policies and tools such as Mimecast’s data loss prevention (DLP) services, organizations can boost their protection against data exfiltration without impeding operations or productivity.

How does Data Exfiltration Work?

Data exfiltration can happen as a result of an attack by outsiders or the efforts of malicious insiders. Bad actors can exfiltrate data in a number of ways: digital transfer, the theft of physical devices or documents, or an automated process as part of a persistent cyberattack. And, as the ITRC report reveals, these cyberattacks are growing more complex, sophisticated — and successful.

Some of the more common techniques used for data exfiltration include:

• Phishing and social engineering: Malicious actors can trick victims by email, text, phone, or other method into providing them entry into a device or network. They may get the user to download malware, for example, or provide log-in credentials.
• Malware: Once injected onto a device, malware can spread across an organization’s network where it can infiltrate other systems and search for sensitive corporate data to exfiltrate. In some cases, malware can lurk in the network, gradually stealing data over time.
• Email: Cybercriminals can steal data sitting in email systems, such as calendars, databases, documents, and images. They can exfiltrate the data as email, text, or file attachments.
• Downloads/uploads: Under the category of accidental exfiltration, someone may access data from an insecure device like a smartphone or external hard drive, where it is no longer protected by corporate cybersecurity policies and solutions. In the malicious insider category, employees or contractors may download information from a secure device and then upload it to an external device like a laptop, smartphone, tablet, or thumb drive.
• Poor cloud hygiene: When authorized users access cloud services in an insecure way, they may leave a door open for bad actors to deploy and install malicious code, make changes to virtual machines, or submit nefarious requests to cloud services. 

There are a few ways that cybercriminals can profit from data exfiltration. Bad actors may steal data outright to gain access to personal or financial accounts and insider business information, or they may sell that data on the black market. Alternatively, they may use data exfiltration to supercharge their ransomware efforts. Typically, in a ransomware attack, cybercriminals will encrypt data or otherwise make it inaccessible until the victim organization pays them to restore data access. But, as explained in a March 2022 alert from the FBI, ransomware gangs are now combining encryption with data theft.[3] They are fortifying their efforts with so-called double extortion, threatening to leak or sell an organization’s data if a payment is not made.

Types of Exfiltrated Data

Data exfiltration often targets the most sensitive and valuable information within an organization. The types of data that are frequently exfiltrated include:

• Corporate and Financial Data: Sensitive financial reports, company performance metrics, and strategic business plans are often targeted for corporate espionage or financial fraud.
• Intellectual Property (IP) and Trade Secrets: These can include proprietary technologies, product designs, patents, and any other innovation that provides a competitive advantage.
• Customer Databases: Containing personal and financial information, customer databases are gold mines for cybercriminals who aim to commit identity theft, fraud, or sell the information on the dark web.
• Credentials: Usernames, passwords, and other access credentials can be used to further infiltrate systems or sold to other bad actors.
• Personally Identifiable Information (PII): PII such as Social Security numbers, birth dates, and addresses are often exfiltrated to be exploited in identity theft schemes.
• Cryptographic Keys: Exfiltrating cryptographic keys can allow attackers to decrypt sensitive data, which might have otherwise been secure.
• Proprietary Algorithms and Software: The theft of software or algorithms can compromise an organization’s intellectual property and competitive edge, especially in tech-centric industries.

Lessons from Recent Data Exfiltration Attacks

Successful data exfiltration attacks can have disastrous consequences, leading to loss of valuable intellectual property and other sensitive information, costly incident response efforts, information misuse or abuse, loss of customer trust, brand or reputational damage, legal or regulatory issues, and big ransom payouts.

The following recent data exfiltration attacks illustrate the dangers of failing to mitigate these risks and their wide-ranging impact:

• Credit card data: A fuel and convenience store chain revealed in December 2019 that it had been victim to a nine-month data breach during which attackers installed card-stealing malware on in-store payment processing systems and fuel dispensers. By January, the stolen card data for more than 30 million of its customers was being sold online.[4]
• Intellectual property: A malicious insider at a U.S. multinational conglomerate downloaded 8,000 proprietary files — including valuable trade secrets — over eight years in order to launch a company to compete with it. The former employee was sentenced to two years in jail in 2021 and ordered to pay $1.4 million in restitution.[5]
• Currency exchange data: A foreign currency exchange paid $2.3 million to a ransomware gang to regain access to data lost in an attack on New Year’s Eve 2020. The cybercriminals had gained access to the company’s network and exfiltrated five gigabytes of data.[6]
• Healthcare information: A ransomware gang stole three terabytes of sensitive data from a Seattle, Washington-based community health center operator in 2021. The personal data of 650,000 individuals was later posted for sale to the highest bidder on the dark web. A class-action lawsuit resulted.[7] 
• Mobile data: The same year an attack on a mobile network operator successfully exfiltrated the personal data of 50 million of the company’s customers. A class-action lawsuit resulted.[8]

Data exfiltration can happen via email or various Internet channels like spoofed sites for phishing, file-sharing sites, and social media uploads. Adding to the challenge is the rise of blended threats, whereby cyberattacks come at organizations through multiple channels simultaneously. 

The cybercrime groups behind the most successful data exfiltration attacks are continually tweaking their tactics to access higher-value data. They’re getting smarter. “While most ransomware attacks have traditionally focused on speed — resulting in large amounts of nonvaluable information being moved — our current research shows that attackers are increasingly…exfiltrating more sensitive data,” IDC recently wrote.[9]

How to Detect Data Exfiltration

Detecting data exfiltration early is crucial to minimizing damage. Organizations can implement various strategies and tools to identify suspicious activities that might indicate data exfiltration:

• data transfers, such as large amounts of data being sent to external IP addresses, which could indicate exfiltration.
• Anomalous User Behavior Detection: Tools that use machine learning to analyze user behavior can identify deviations from typical patterns, such as accessing or downloading large volumes of data outside of normal work hours.
• Endpoint Detection and Response (EDR): EDR tools provide real-time monitoring of endpoints to detect and respond to threats that might lead to data exfiltration.
• Data Loss Prevention (DLP) Systems: DLP solutions can monitor and control data flows across the network, alerting or blocking attempts to send sensitive information outside the organization.
• Email Monitoring: Since email is a common vector for exfiltration, monitoring for unusual email activity, such as bulk sending of sensitive data, can help detect potential exfiltration attempts.
• Audit Logs: Regularly reviewing audit logs from various systems can reveal unauthorized access or data transfers that might have gone unnoticed.
• Intrusion Detection Systems (IDS): IDS can alert security teams to potential breaches that could lead to data exfiltration, providing early warning signs of malicious activity.

Data Exfiltration Prevention

Data exfiltration and loss is a multi-faceted risk that must be addressed with multi-layered defenses. Organizations are vulnerable to data exfiltration through both outside attacks and insider threats and must fortify themselves against both types of risk. Despite the prevalence of malicious insider threats, just 44% of respondents to Mimecast’s State of Email Security 2022 survey said their companies have systems to monitor and protect against data leaks or exfiltration in outbound email.

Unfortunately, data exfiltration prevention is not as simple as an organization locking down all its data. Corporate performance and employee productivity in the digital age is dependent on the flow of information. Therefore, businesses must strike a delicate balance between protecting their data from exfiltration risk while continuing to enable organizational efficiency.

Organizations that want to mitigate the risk of data exfiltration take a holistic approach that identifies high-value and vulnerable data, implements effective and up-to-date cybersecurity tools and policies, and educates employees and partners. Some best practices to adopt include:

• Conduct a data risk assessment. Organizations use risk assessments to identify their most sensitive data, the biggest threats to that data, the likelihood of those threats becoming reality, and the damage that data exfiltration would cause. That way, they can best prioritize, protect against, and prepare for those data exfiltration risks. 
• Implement data encryption. Data encryption can protect data in all its forms and prevent unauthorized use. (For more insight, see “Data Encryption: How to Protect Data in Transit, Data in Use and Data at Rest.”)
• Monitor user behaviors. Tracking user activity can ensure that users access and handle data properly. There are tools available to analyze behavioral patterns and identify abnormal or unexpected actions indicative of malicious or inadvertent data exfiltration. 
• Invest in cybersecurity tools. A number of systems can bolster protection against data loss. Next-generation firewalls can block unauthorized access to resources and systems storing sensitive information and protect networks from internal threats as well. Security information and event management systems (SIEMs) can help secure data in motion, in use, and at rest; fortify endpoints; and identify suspicious data transfers. Intrusion detection systems (IDSs) can monitor networks for known threats and suspicious or malicious traffic. AI-enabled email security solutions can identify social engineering attempts and stop phishing emails before they get to employees. 
• Introduce and enforce a bring your own device (BYOD) policy. The use of personal devices to perform work creates additional data exfiltration risk. Every organization should have a policy outlining what users can and can’t access from personal devices and what security controls are required.
• Perform frequent data backups. Data backups ensure that an organization will be able to restore lost or stolen data if necessary. Data should be backed up frequently.
• Consider limiting privileged access. Just-in-time access is an emerging practice whereby users can only access sensitive data for a specific reason and for a limited period of time, helping to minimize the risk of data exfiltration. 
• Educate and train employees. Most data breaches are the result of human error. It’s important to educate employees about phishing, the dangers of transferring data to unprotected devices and insecure cloud storage, and the problems with weak credentials. Organizations should offer timely and frequent security awareness training in how to detect and respond to the cyberthreats that can result in data exfiltration. Notifying employees of trends in fraudulent emails, for example, can mitigate the risk of data exfiltration.

Because cybercriminals can use email as their way in to steal valuable data — and insiders can use email to transfer data out — a multilayered defense and a DLP strategy are key. Services such as Mimecast’s provide centralized management and real-time application of flexible DLP security policies. To identify potential data leaks, such solutions scan all inbound and outbound email, using pattern matching, keywords, file hashes, and dictionaries — and then automatically encrypt sensitive or confidential data or block it from being sent outside the organization.

The Bottom Line

Whether the result of an employee mistake or a deliberate attack, data exfiltration can have devastating impacts on an organization including financial losses, legal action, reputational damage, and customer impact. Preventing data extraction and mitigating the impact of data exfiltration attacks with a comprehensive cybersecurity plan should be a strategic priority. See how Mimecast’s DLP services can help protect your organization’s data.

Data Exfiltration FAQs

What is the difference between a data breach and data exfiltration?

A data breach is a broader term that refers to any incident where unauthorized access to data occurs, potentially leading to data being viewed, stolen, or corrupted. Data exfiltration is a specific type of data breach where data is illicitly transferred out of the organization, usually with the intent of using it for malicious purposes, such as fraud, espionage, or blackmail. In essence, all data exfiltration incidents are data breaches, but not all data breaches involve data exfiltration.

What ports are used for data exfiltration?

Data exfiltration can occur over various network ports, depending on the method employed by the attacker. Commonly exploited ports include:

• Port 80 (HTTP) and Port 443 (HTTPS): These ports are commonly used for web traffic, making them ideal for covert exfiltration via web applications or compromised websites.
• Port 21 (FTP): FTP is used for file transfers and can be exploited by attackers to exfiltrate large volumes of data.
• Port 25 (SMTP): This port, used for sending emails, can be manipulated to send out sensitive data as email attachments.
• Port 53 (DNS): DNS tunneling is a technique where attackers encode data in DNS queries and responses, using Port 53 to exfiltrate information.

What is data exfiltration protection?

Data exfiltration protection involves a combination of policies, practices, and tools designed to prevent unauthorized data transfer out of an organization. This includes:

• Data Encryption: Ensuring that data is encrypted at rest, in transit, and in use to prevent unauthorized access even if exfiltrated.
• Access Controls: Limiting access to sensitive data based on roles and responsibilities, and employing multi-factor authentication (MFA) to secure access points.
• DLP Solutions: Implementing DLP systems that monitor, detect, and prevent unauthorized data movement within and outside the organization.
• Security Awareness Training: Educating employees on the risks of data exfiltration and teaching them how to recognize phishing attempts and other social engineering tactics.
• Network Segmentation: Dividing the network into segments to limit the movement of attackers if they gain access, making it harder for them to exfiltrate data.

What are the effects of data exfiltration?

The impact of a successful data exfiltration act can be severe and far-reaching, including:

• Financial Losses: Direct costs related to incident response, legal fees, and regulatory fines, as well as indirect costs like lost revenue and decreased stock value.
• Reputational Damage: Loss of trust among customers, partners, and the public can have long-lasting effects on an organization’s brand and market position.
• Legal and Regulatory Consequences: Non-compliance with data protection regulations can result in hefty fines and legal action from affected parties.
• Operational Disruption: The theft of sensitive data can disrupt business operations, especially if critical intellectual property or proprietary software is compromised.
• Intellectual Property Loss: The exfiltration of trade secrets or proprietary information can erode a company’s competitive advantage, leading to loss of market share and innovation setbacks.

^[1] “Data Breaches Increase; Victim Rates Drop in Q1 2022,” Identity Theft Resource Center

² “2021 Annual Data Breach Report Sets New Record for Number of Compromises,” Identity Theft Resource Center

³ “Joint Cybersecurity Advisory: Indicators of Compromise Associated with AvosLocker Ransomware,” FBI 

⁴ “Wawa Breach May Have Compromised More Than 30 Million Payment Cards,” Krebs on Security

⁵ “Former GE Engineer Sentenced to 24 Months for Conspiring to Steal Trade Secrets,” U.S. Department of Justice

⁶ “Travelex Paid the Ransom, Breach Investigation Still Underway,” CIO Dive

⁷ “Lawsuit Filed in Health Center Data Exfiltration Breach,” GovInfo Security

⁸ “Class-Action Complaints Stream in Over T-Mobile Data Breach,” Law Street

⁹ “Data Exfiltration Trends Demonstrate Ransomware Evolution,” IDC