Data Exfiltration: What It Is and How to Prevent It

Data exfiltration is one of the biggest — and potentially costliest — cybersecurity threats facing any organization. This unauthorized transmission of data out of an organization can happen any number of ways but is most often carried out by cybercriminals. In the data privacy field, for example, the vast majority (92%) of data breaches in the first quarter of 2022 resulted from cyberattacks, rather than errors such as misdirected emails, according to the Identity Theft Resource Center (ITRC).^[1] The total number of personal data compromises in 2021 reached an all-time high, according to the ITRC, with 93% of them involving sensitive information.[2]

What Is Data Exfiltration?

Data exfiltration is the unauthorized transfer of data out of an organization via unauthorized access to one of its endpoints or other access point, usually by a cybercriminal who has used ransomware or some other malware to illegally access the data. Data exfiltration is one of the biggest and costliest cybersecurity risks organizations face and can result from an attack by outsiders or the actions of malicious or careless insiders.

Data exfiltration — also referred to as data theft, data leakage, or data extrusion — is unlike a traditional ransomware attack in which data may only be encrypted. Both can have sweeping and significant impacts on an organization, its suppliers, and its customers. Data loss can lead to operational issues, financial losses, and reputational damage.

Cybercriminals who carry out data exfiltration are targeting data of high value. The types of data most often stolen in data exfiltration exploits include:

• Corporate and financial information
• Intellectual property and trade secrets
• Customer databases
• Usernames, passwords, and credentials
• Personally identifiable information such as Social Security numbers
• Personal financial information
• Cryptographic keys
• Software or proprietary algorithms

With the right policies and tools such as Mimecast’s data loss prevention (DLP) services, organizations can boost their protection against data exfiltration without impeding operations or productivity.

How Data Exfiltration Happens

Data exfiltration can happen as a result of an attack by outsiders or the efforts of malicious insiders. Bad actors can exfiltrate data any number of ways: digital transfer, the theft of physical devices or documents, or an automated process as part of a persistent cyberattack. And, as the ITRC report reveals, these cyberattacks are growing more complex, sophisticated — and successful.

Some of the more common techniques used for data exfiltration include:

• Phishing and social engineering: Malicious actors can trick victims by email, text, phone, or other method into providing them entry into a device or network. They may get the user to download malware, for example, or provide log-in credentials.
• Malware: Once injected onto a device, malware can spread across an organization’s network where it can infiltrate other systems and search for sensitive corporate data to exfiltrate. In some cases, malware can lurk in the network, gradually stealing data over time.
• Email: Cybercriminals can steal data sitting in email systems, such as calendars, databases, documents, and images. They can exfiltrate the data as email, text, or file attachments.
• Downloads/uploads: Under the category of accidental exfiltration, someone may access data from an insecure device like a smartphone or external hard drive, where it is no longer protected by corporate cybersecurity policies and solutions. In the malicious insider category, employees or contractors may download information from a secure device and then upload it to an external device like a laptop, smartphone, tablet, or thumb drive.
• Poor cloud hygiene: When authorized users access cloud services in an insecure way, they may leave a door open for bad actors to deploy and install malicious code, make changes to virtual machines, or submit nefarious requests to cloud services. 

There are a few ways that cybercriminals can profit from data exfiltration. Bad actors may steal data outright to gain access to personal or financial accounts and insider business information, or they may sell that data on the black market. Alternatively, they may use data exfiltration to supercharge their ransomware efforts. Typically, in a ransomware attack, cybercriminals will encrypt data or otherwise make it inaccessible until the victim organization pays them to restore data access. But, as explained in a March 2022 alert from the FBI, ransomware gangs are now combining encryption with data theft.[3] They are fortifying their efforts with so-called double extortion, threatening to leak or sell an organization’s data if a payment is not made.

Lessons from Recent Data Exfiltration Attacks

Successful data exfiltration attacks can have disastrous consequences, leading to loss of valuable intellectual property and other sensitive information, costly incident response efforts, information misuse or abuse, loss of customer trust, brand or reputational damage, legal or regulatory issues, and big ransom payouts.

The following recent data exfiltration attacks illustrate the dangers of failing to mitigate these risks and their wide-ranging impact:

• Credit card data: A fuel and convenience store chain revealed in December 2019 that it had been victim to a nine-month data breach during which attackers installed card-stealing malware on in-store payment processing systems and fuel dispensers. By January, the stolen card data for more than 30 million of its customers was being sold online.[4]
• Intellectual property: A malicious insider at a U.S. multinational conglomerate downloaded 8,000 proprietary files — including valuable trade secrets — over eight years in order to launch a company to compete with it. The former employee was sentenced to two years in jail in 2021 and ordered to pay $1.4 million in restitution.[5]
• Currency exchange data: A foreign currency exchange paid $2.3 million to a ransomware gang to regain access to data lost in an attack on New Year’s Eve 2020. The cybercriminals had gained access to the company’s network and exfiltrated five gigabytes of data.[6]
• Healthcare information: A ransomware gang stole three terabytes of sensitive data from a Seattle, Washington-based community health center operator in 2021. The personal data of 650,000 individuals was later posted for sale to the highest bidder on the dark web. A class-action lawsuit resulted.[7] 
• Mobile data: The same year an attack on a mobile network operator successfully exfiltrated the personal data of 50 million of the company’s customers. A class-action lawsuit resulted.[8]

Data exfiltration can happen via email or various Internet channels like spoofed sites for phishing, file-sharing sites, and social media uploads. Adding to the challenge is the rise of blended threats, whereby cyberattacks come at organizations through multiple channels simultaneously. 

The cybercrime groups behind the most successful data exfiltration attacks are continually tweaking their tactics to access higher-value data. They’re getting smarter. “While most ransomware attacks have traditionally focused on speed — resulting in large amounts of nonvaluable information being moved — our current research shows that attackers are increasingly…exfiltrating more sensitive data,” IDC recently wrote.[9]

How to Secure Your Data and Prevent Data Exfiltration

Data exfiltration and loss is a multi-faceted risk that must be addressed with multi-layered defenses. Organizations are vulnerable to data exfiltration through both outside attacks and insider threats and must fortify themselves against both types of risk. Despite the prevalence of malicious insider threats, just 44% of respondents to Mimecast’s State of Email Security 2022 survey said their companies have systems to monitor and protect against data leaks or exfiltration in outbound email.

Unfortunately, data exfiltration prevention is not as simple as an organization locking down all its data. Corporate performance and employee productivity in the digital age is dependent on the flow of information. Therefore, businesses must strike a delicate balance between protecting their data from exfiltration risk while continuing to enable organizational efficiency.

Organizations that want to mitigate the risk of data exfiltration take a holistic approach that identifies high-value and vulnerable data, implements effective and up-to-date cybersecurity tools and policies, and educates employees and partners. Some best practices to adopt include:

• Conduct a data risk assessment. Organizations use risk assessments to identify their most sensitive data, the biggest threats to that data, the likelihood of those threats becoming reality, and the damage that data exfiltration would cause. That way, they can best prioritize, protect against, and prepare for those data exfiltration risks. 
• Implement data encryption. Data encryption can protect data in all its forms and prevent unauthorized use. (For more insight, see “Data Encryption: How to Protect Data in Transit, Data in Use and Data at Rest.”)
• Monitor user behaviors. Tracking user activity can ensure that users access and handle data properly. There are tools available to analyze behavioral patterns and identify abnormal or unexpected actions indicative of malicious or inadvertent data exfiltration. 
• Invest in cybersecurity tools. A number of systems can bolster protection against data loss. Next-generation firewalls can block unauthorized access to resources and systems storing sensitive information and protect networks from internal threats as well. Security information and event management systems (SIEMs) can help secure data in motion, in use, and at rest; fortify endpoints; and identify suspicious data transfers. Intrusion detection systems (IDSs) can monitor networks for known threats and suspicious or malicious traffic. AI-enabled email security solutions can identify social engineering attempts and stop phishing emails before they get to employees. 
• Introduce and enforce a bring your own device (BYOD) policy. The use of personal devices to perform work creates additional data exfiltration risk. Every organization should have a policy outlining what users can and can’t access from personal devices and what security controls are required.
• Perform frequent data backups. Data backups ensure that an organization will be able to restore lost or stolen data if necessary. Data should be backed up frequently.
• Consider limiting privileged access. Just-in-time access is an emerging practice whereby users can only access sensitive data for a specific reason and for a limited period of time, helping to minimize the risk of data exfiltration. 
• Educate and train employees. Most data breaches are the result of human error. It’s important to educate employees about phishing, the dangers of transferring data to unprotected devices and insecure cloud storage, and the problems with weak credentials. Organizations should offer timely and frequent security awareness training in how to detect and respond to the cyberthreats that can result in data exfiltration. Notifying employees of trends in fraudulent emails, for example, can mitigate the risk of data exfiltration.

Because cybercriminals can use email as their way in to steal valuable data — and insiders can use email to transfer data out — a multilayered defense and a DLP strategy are key. Services such as Mimecast’s provide centralized management and real-time application of flexible DLP security policies. To identify potential data leaks, such solutions scan all inbound and outbound email, using pattern matching, keywords, file hashes, and dictionaries — and then automatically encrypt sensitive or confidential data or block it from being sent outside the organization.

The Bottom Line

Whether the result of an employee mistake or a deliberate attack, data exfiltration can have devastating impacts on an organization including financial losses, legal action, reputational damage, and customer impact. Preventing data extraction and mitigating the impact of data exfiltration attacks with a comprehensive cybersecurity plan should be a strategic priority. See how Mimecast’s DLP services can help protect your organization’s data.

^[1] “Data Breaches Increase; Victim Rates Drop in Q1 2022,” Identity Theft Resource Center

² “2021 Annual Data Breach Report Sets New Record for Number of Compromises,” Identity Theft Resource Center

³ “Joint Cybersecurity Advisory: Indicators of Compromise Associated with AvosLocker Ransomware,” FBI 

⁴ “Wawa Breach May Have Compromised More Than 30 Million Payment Cards,” Krebs on Security

⁵ “Former GE Engineer Sentenced to 24 Months for Conspiring to Steal Trade Secrets,” U.S. Department of Justice

⁶ “Travelex Paid the Ransom, Breach Investigation Still Underway,” CIO Dive

⁷ “Lawsuit Filed in Health Center Data Exfiltration Breach,” GovInfo Security

⁸ “Class-Action Complaints Stream in Over T-Mobile Data Breach,” Law Street

⁹ “Data Exfiltration Trends Demonstrate Ransomware Evolution,” IDC