Skip to main content

Request SaaS Deployment

Contact Sales

Data Protection

Data Exfiltration: What It Is, Examples, and Prevention Tips


Data security is vital to your organization’s well-being. Even a single data exfiltration incident can bring unwanted attention to your organization, leading to reputational and financial losses. That’s why companies across industries pay maximum attention to their cybersecurity measures and constantly enhance them.

In this article, we explain the meaning of data exfiltration and how it’s performed. We also explore recent real-life data exfiltration examples and offer ten best practices to help you protect your data.

What is data exfiltration?

Data exfiltration is the unauthorized transfer of data from an organization’s systems or devices to an external location. Such a security breach is sometimes called data theft, data exportation, a data leak, or data extrusion.

Definition of data exfiltration

Data exfiltration definition by Google Cloud

Malicious actors can exfiltrate data through digital transfer, the theft of physical documents or corporate devices, or an automated process as part of a targeted attack on sensitive data.

What data is at risk?

Data an attacker may target includes:

Data at risk of exfiltration

What are the consequences?

Potential consequences of data exfiltration depend on the attacker’s goals. Attackers might demand payment to return stolen data to the organization, sell data to a company’s competitor, or use data to get revenge on a former employer.

Consequences of data exfiltration

Where are data exfiltration threats coming from?

Data can be exfiltrated in a range of ways from both inside and outside the organization. We will first figure out the common actors behind data exfiltration.

Who can potentially exfiltrate data?

Data exfiltration results from either external or internal threats. The most common actors behind data exfiltration are:

Cybercriminals or employees may carry out data exfiltration, trying to gain access to an organization’s assets and data with malicious intent. Former employees can be a threat if they still have access to their accounts or if they managed to create backdoor accounts before leaving the company.

But not only external attackers and current or former employees can exfiltrate data. Third-party vendors with access to your organization’s networks and systems also can. A special category of insiders worth your attention is users with elevated access rights. Privileged users often have full and permanent access to protected data, applications, and systems, and thus pose additional security risks.

In addition to malicious insiders, regular users can accidentally expose sensitive data by neglecting corporate data security policies. It’s worth mentioning that even external attacks are frequently made possible by inadvertent insiders. That’s why people-centric security is vital for your data protection.

In the next section, we review the most common methods of data exfiltration to help you better understand what areas of your organization’s security need improvement.

What are the common vectors of data exfiltration?

As we already mentioned, data can be compromised and stolen by both internal and external actors. The most commonly used data exfiltration techniques, sources, and vectors include:

Common vectors of data exfiltration


Email is still one of the major data exfiltration methods, used by cybercriminals to distribute malware and perform phishing attacks. Phishing usually involves sending an email to deceive recipients into revealing sensitive information or downloading an infected attachment. As perpetrators claim to be sending their emails from a trusted source, those targeted can’t always distinguish a potentially dangerous email from a legitimate one.

Outbound emails

A user can forward an email with sensitive data to a personal account. For instance, a negligent employee can email corporate data to a third-party supplier. Malicious insiders may willfully move information outside the organization’s perimeter in the form of a file attachment or a text message.

Personal devices

Employees may copy corporate data to flash drives, smartphones, cameras, and other external drives. From there, attackers can hack the unprotected devices and exfiltrate data. A user can also intentionally steal data using personal storage devices. With remote work and hybrid office environments still common, employees may expose data through vulnerabilities in their home computers and networks.

Сloud vulnerabilities

Data stored in cloud-based environments can be vulnerable to exfiltration too, especially if employees violate basic cybersecurity practices. Malicious actors can exfiltrate data from corporate cloud drives if they’re poorly protected or misconfigured. Another concern is when a user uploads data to their personal cloud storage and provides extensive access permissions to it, exposing data to unauthorized parties.

Unauthorized software

Installing unauthorized software on corporate devices poses a severe risk to an organization’s cybersecurity. Employees can intentionally or inadvertently download unlicensed products that may contain malware and ransomware that transfers data to an external system without the user’s knowledge. Another way for malware to get into corporate devices and networks is through shady websites if negligent employees access them from corporate computers.

Supply chain attacks

Your partners, suppliers, and other third parties with access to your organization’s infrastructure  are a source of supply chain cybersecurity risks. In a supply chain attack, cybercriminals may infiltrate one of your suppliers and escalate the attack to access your organization’s data. According to the 8th Annual State of the Supply Chain Report by Sonatype, there was a 742% average annual increase in software supply chain attacks from 2019 through 2022.

Let’s now explore several real data exfiltration attacks.

Data exfiltration attack examples

To see how data exfiltration happens in real life and grasp the possible consequences, let’s take a look at three examples of data exfiltration attacks that happened in 2023:

Affected entityPharMerica
Incident typeRansomware attack
  • Exfiltration of personal data of 5.8 million individuals
  • Potential loss of customer trust
  • Potential penalties due to non-compliance with healthcare data protection requirements

In March 2023, PharMerica discovered suspicious activity on their computer network. Investigation results showed that an unknown third party had accessed PharMerica IT infrastructure, extracting personal data of almost six million people. Compromised information included social security numbers, birth dates, names, health insurance information, and other personally identifiable information. Although PharMerica did not reveal who initiated the attack, the Money Message ransomware gang took responsibility for the breach on March 28, 2023, when they began publishing stolen data.

Affected entityUS Department of Defense
Incident typeData exfiltration by an insider
  • Leak of classified government and military data
  • Threat to national security
  • Risk of losing advantages over adversaries

In April 2023, the FBI arrested Jack Teixeira, a member of the Massachusetts Air National Guard, in connection to a Pentagon intelligence leak. Jack had been posting images of classified US government and military documents to a Discord chat group. The leak was discovered a few months after he began sharing sensitive documents. US officials stated that Teixeira was the leader of the group with which he shared sensitive data. The leaked documents contained in-depth intelligence assessments on both allies and adversaries, as well as information on the state of the war in Ukraine and the difficulties Kyiv and Moscow were facing at the time. A comprehensive DoD insider threat program and effective insider risk management software could have prevented this incident.

Affected entityProgress MOVEit
Incident typeSupply chain attack
  • Leak of personally identifiable data
  • Reputational damage
  • Damage to software supply chain entities

In June 2023, a Russian ransomware group hacked MOVEit, a popular file transfer tool produced by Progress Software. Shortly after, the attack escalated to compromise sensitive data of many companies that were using the software, including the BBC, Zellis, British Airways, and other organizations. Exfiltrated data including staff members’ and customers’ personally identifiable information, such as addresses, IDs, national insurance numbers, and dates of birth. This attack demonstrates both how rapidly a supply chain attack may spiral and how cybercriminals can infiltrate even small vendors to cause massive damage to large corporations.

Such examples show that data exfiltration can happen to any organization and that it may take some time to detect an incident. Read on to learn the top security best practices that can help you minimize your data security risks and prevent data exfiltration.

How can you secure your assets from data exfiltration?

10 data exfiltration prevention techniques

Preventing data exfiltration requires a holistic approach that includes reviewing your security measures, implementing an insider threat program, and educating employees.

To get you started, we’ve gathered ten best practices that can enhance your organization’s cybersecurity and help you reduce the chances of data exfiltration.

10 best practices to prevent data exfiltration

1. Assess risks to your organization’s data

To efficiently handle data exfiltration, you need to know what threats to expect and how to mitigate security risks before they become issues. Consider applying the following risk assessment practices:

Key steps of a data security risk assessment

A risk assessment helps you identify potential threats, prioritize risks, and evaluate how your current cybersecurity measures can mitigate potential threats. Then, you can determine whether you need to implement any additional cybersecurity practices.

2. Implement information security policies

Once you know the risks to your data, it’s time to reflect them in your information security policies (ISPs). ISPs can help you fight data exfiltration by directing and synchronizing your organization’s data protection efforts.

Consider paying particular attention to the following types of ISPs:

  • Data management policy
  • Network security policy
  • Access control policy
  • Vendor management policy
  • Removable media policy

You may either have multiple information security policies or create a single centralized ISP containing all aspects of organizational security that will help you secure sensitive data.

3. Secure your data management

How you manage sensitive data is crucial to your information security. Consider documenting your data management processes and pay attention to how data is collected, stored, processed, and deleted; who can access it; and so on.

It’s also critical to define your organization’s data protection measures. Gartner offers four key data security methods you can use to protect your information from exfiltration:

Data security methods by Gartner

4. Implement an insider threat program

Malicious insiders are hard to detect, as they have authorized access and it’s difficult to differentiate their regular job-related activities from malicious ones. Additionally, insiders know your network and where data is located. Insider threats are not only about malicious employees, as many external attacks are successful due to negligent workers and third parties putting your data at risk.

An insider threat program can help you manage all of these risks by coordinating measures for detecting and preventing insider threats. When creating the program, it’s important to enlist the support of your organization’s key stakeholders. Also, assigning a specialized insider threat response team and deploying dedicated insider risk management solutions will be of great help.

For more expert thoughts on how to reduce the risk of data exfiltration with an insider threat program, consider watching this YouTube video:

5. Implement the just-in-time approach to access management

Ensure that only the right users are provided with privileged access to specific systems and resources, only for a valid reason, and only for the time required. With the just-in-time privileged access management (JIT PAM) approach, you can minimize the risks of data exfiltration and implement the principle of least privilege, with zero standing privileges as the goal. You may also consider systematically conducting user access reviews for current and former employees.

Practical ways to restrict access to sensitive data

When managing access within your organization, you can also consider implementing access control models, such as discretionary access control (DAC) and mandatory access control (MAC). We have a detailed article on the matter to help you understand the difference between DAC and MAC.

6. Monitor user activity

Data exfiltration monitoring requires you to track user activity to make sure users access and handle data securely. Monitoring user activity can help your organization proactively detect and respond to potential data exfiltration attempts, whether initiated by insiders or external threat actors. In the event of a data breach or suspected exfiltration, monitoring user activity provides valuable evidence for investigation and forensic analysis. Detailed records of user actions can help you reconstruct the sequence of events, identify the source of the breach, and support your incident response efforts.

Apart from monitoring regular employees, it’s essential to keep an eye on third parties with access to your infrastructure and users with elevated access rights. Privileged users have access to the most sensitive parts of the corporate network and have more opportunities to exfiltrate data while remaining unnoticed. Therefore, such users have to be closely watched.

7. Leverage user and entity behavior analytics

Security user behavior analytics, or user and entity behavior analytics (UEBA) solutions are based on artificial intelligence algorithms. UEBA technology works by analyzing users’ behavioral patterns and defining a baseline of normal and expected behavior. User actions that deviate from this baseline are considered potential risks and need to be examined by security officers.

User and entity behavior analytics offers profiling and anomaly detection based on a range of analytics approaches, usually using a combination of basic analytics methods (e.g., rules that leverage signatures, pattern matching and simple statistics) and advanced analytics (e.g., supervised and unsupervised machine learning). Vendors use packaged analytics to evaluate the activity of users and other entities (hosts, applications, network traffic and data repositories) to discover potential incidents.


UEBA tools usually need some time to track and analyze how a user typically behaves. Once this process is finished, UEBA will supplement your data exfiltration prevention solutions, helping you automatically detect data breaches in their early stages.

8. Develop a culture of cybersecurity awareness

Data exfiltration is often caused by phishing, transferring data to insecure devices, and account exploits caused by employees’ poor password habits. To minimize the risks of such incidents, you need to systematically educate your staff and update your security policies. Also, consider implementing a people-centric security approach to make your employees the most important level of your security perimeter.

By consistently emphasizing the importance of cybersecurity and providing employees with the knowledge, resources, and support they need, you can nurture a culture of cybersecurity awareness inside your organization. In such a way, you’ll create a collective responsibility for data protection and empower your employees to actively contribute to the organization’s overall security posture.

9. Ensure a quick incident response

Organizations frequently become aware of data leaks only when they notice missing data or find out that their data was sold to someone. But the longer a data breach goes unnoticed, the more damage an attacker can cause. Most organizations may not know about an incident for months. It takes 277 days on average to detect a data breach according to the Cost of a Data Breach Report 2022 by IBM Security.

Therefore, a prompt data exfiltration incident response is vital to protecting your data and ensuring your business continuity. Implementing dedicated incident detection and response solutions can help you detect data breaches early. You may also consider creating an incident response plan that will provide your cybersecurity team with clear scenarios for acting in urgent situations:

What should you include in your incident response plan?

10. Manage your supply chain risks

Supply chain security is an ever-growing concern of cybersecurity experts that affects an organization’s data security. Gartner predicts that by 2025, 45% of organizations worldwide will have experienced attacks on their software supply chains, which is a threefold increase from 2021.

Supply chain risk management goes beyond mere third-party risk management and requires employing a holistic cyber supply chain risk management (C-SCRM) strategy. C-SCRM involves assessing all cybersecurity risks that may come from your supply chain, taking measures to protect your data from vendors, and collaborating with suppliers on improving their security.

How to prevent data exfiltration with Ekran System

Ekran System is a universal insider risk management platform that can help your organization secure sensitive data and fight insider threats.

Based on the deter-detect-disrupt principle, Ekran System can help your organization establish a proactive and multi-layered approach to preventing data exfiltration. Ekran System’s capabilities combine preventive measures to secure access to data, user activity monitoring to detect suspicious activity, and quick response functionality to disrupt ongoing exfiltration attempts.

Let’s explore Ekran System’s capabilities in more detail.

Manage identities and control access

By managing access privileges and verifying user identities, you will be able to secure data from unauthorized access and reduce the risks of account compromise. Ekran System offers the following access management features:

Monitor user activity

To detect security threats coming from your organization’s users, your security officers need to be able to track user activity inside your IT infrastructure. Ekran System provides the following monitoring capabilities:

Respond to security incidents

By quickly detecting and responding to security threats, your organization will be able to reduce the scale of potential damage and prevent data breaches before they even happen. Ekran System’s incident response capabilities include:

  • Real-time user activity alerts to receive live notifications about potentially harmful user activity
  • Automated incident response mechanisms to configure how Ekran System responds to particular user behaviors; response actions include blocking users, stopping applications, displaying warning messages, and blocking USB devices
  • UEBA capabilities to automatically detect activity that deviates from the established baseline of user behavior

Additionally, Ekran System provides incident investigation capabilities, including the generation of customizable reports and exporting of user sessions as tamper-proof digital evidence for forensic investigations.


Preventing and mitigating data extraction techniques is a complicated task that involves dealing with both possible attackers and negligent employees. By implementing cybersecurity best practices from this article and using proven technologies such as user activity monitoring and UEBA, you’ll cover the lion’s share of potential vulnerabilities.

Request a free 30-day trial of Ekran System

and test its capabilities in your IT infrastructure!



See how Ekran System can enhance your data protection from insider risks.