What is data exfiltration?
Data exfiltration is a type of data theft. Malicious actors breach a computer or server’s security measures and export proprietary data from a computer or server without authorization.
This practice is also known as data extrusion or data exportation.
Types of data exfiltration
Two attack avenues can be used to steal data: outside an organization or from within. Both types of attacks can be disastrous. Hackers can use number methods to exfiltrate data. Below are a few techniques they often implement to steal protected and/or sensitive data.
-
Phishing: A phishing attack typically occurs when an outside actor sends messages, such as emails or texts, that look as though they originated from credible, legitimate sources in order to trick recipients into revealing sensitive information.
For example, a phishing attack victim could receive an email that appears to have come from their manager stating that they need to review an attached slide deck. Clicking the attachment or link within that message may trigger a malware download, which then gives outsiders the ability to transfer data outside of the organization’s security perimeter.
- Outbound emails: Internal actors, such as employees or contractors, can send proprietary information to their own personal email accounts or other parties if security measures aren’t in place to prevent them from doing so.
-
Insecure downloads: Unlike other methods of data exfiltration, organization insiders can accidentally download sensitive data onto unprotected devices.
Downloading an email attachment, such as an image or slide deck that contains sensitive information, to a smartphone suddenly takes that data outside of the company’s secured data perimeter.
- Unsecured assets: As organizations move operations to cloud-based work, human error has caused assets to become available to unauthorized users unintentionally. This can happen in a few ways, including by implementing the wrong access requirements to assets and by accessing cloud servers through unsecured means. The former allows outsiders to simply see sensitive data, but the latter allows outsiders to write and deploy malicious code.
Impacts of data exfiltration
Data exfiltration has several immediate and long-lasting negative impacts, including:
- Compromised data: The most obvious negative impact of data exfiltration is the unprotected data itself. Attacks typically target sensitive information, including credentials used to access personal finances, company secrets, and personally identifiable information (PII).
-
Loss of confidence: Large-scale data exfiltration, or even exfiltration that has damaged just one, but one very influential institution, such as a major commercial bank, can trounce confidence in the affected organizations.
Consumers may stop trusting banks to protect their money, patients may panic if hospitals fail to protect personal medical information, and citizens may lose faith in their governments if they don’t protect secured PII.
Basic elements of data exfiltration
Data exfiltration tactics typically include the following elements.
- Unauthorized: The person or group accessing the information, or sharing it with outsiders or unsecured devices, is not allowed to do so. Moving data like this is often malicious, but it can be accidental.
- Covert: In the case of intentional, malicious data exfiltration, those attempting to solicit or move the targeted data do so covertly. In phishing attacks, for example, attackers disguise themselves to look like legitimate people or institutions to solicit information.
- Exploitative: In the case of malicious attacks, bad actors don’t hesitate to exploit a person’s trust or emotions to get the information they want. Attackers can rely on a sense of trust, such as posing as a trusted colleague in a phishing attack or causing victims to panic by manufacturing an emergency.
Data exfiltration prevention best practices
In order to avoid data exfiltration, follow these best practices:
- Remain up to date: Whether successful or not, security teams must stay abreast of the latest known data exfiltration attempts to anticipate similar attacks within their own companies. Attackers are constantly evolving their strategies to avoid detection and evade consequences and security professionals have to keep pace with cybersecurity news and continue to develop their skill sets through formal training and certifications.
- Inform employees: Training employees is an effective method for avoiding both accidental and intentional data exfiltration and data theft. Products designed for security awareness can arm employees with the skills necessary to avoid inadvertent data exfiltration and the ability to spot potential attacks through simulations.
- Endpoint protection: Endpoints, such as laptops, servers, and company smartphones, are historically the weakest points in an organization’s security network and should therefore be as secure as possible to prevent attacks. Firewalls, mandatory password updates data access policies, and data encryption are a few measures organizations can take to protect their endpoints.
Data exfiltration vs. data infiltration
Data exfiltration and data infiltration are the inverse of one another.
- Data exfiltration: This is the unauthorized copying or transfer of data from a host device within an organization’s security perimeter to a device beyond that protection. Exfiltration can be accidental or intentional.
-
Data infiltration: This refers to transferring unauthorized assets onto a device within an organization. It often happens when new employees upload proprietary information from their old job, such as templates or client lists, to help them in their new role.
Often, this activity can get new employers into legal trouble and result in financial damages from the information’s rightful owner. Infiltration might also include introducing malicious code onto a laptop, smartphone, or other endpoint within an organization’s security perimeter.
Understand the nuances of data protection and how you can protect user data.
Brandon Summers-Miller
Brandon is a Senior Research Analyst at G2 specializing in security and data privacy. Before joining G2, Brandon worked as a freelance journalist and copywriter focused on food and beverage, LGBTQIA+ culture, and the tech industry. As an analyst, Brandon is committed to helping buyers identify products that protect and secure their data in an increasingly complex digital world. When he isn’t researching, Brandon enjoys hiking, gardening, reading, and writing about food.
