What Is Data Exfiltration, Attack Examples, and 6 Defensive Measures

What is data exfiltration?

Data exfiltration is a security breach during which data is transferred from your systems or devices by an unauthorized user. It is sometimes also called data theft, data exportation or data extrusion.

Data exfiltration can occur as part of an automated attack or can be performed manually and can occur on-site or through an internet connection. When it occurs, it is typically part of a targeted attack for sensitive or valuable data.

While data exfiltration can be detected, it often is not until at least some data has been lost. This is because the illegitimate transfer of data looks very similar to legitimate transfers. To detect it you need to recognize that the user or service should not be transferring data, that the data being moved is suspicious, or that the size of the transfer is suspicious.

To reliably detect data exfiltration, organizations need to distinguish between unauthorized and authorized data transfer. You can do that by leveraging data loss prevention (DLP), UEBA and SIEM technologies.

Data exfiltration vs. data leakage vs. data breach

While these terms are related, they refer to different types of security incidents:

• Data exfiltration: This is the intentional and unauthorized transfer of data from a system. It is typically carried out by a malicious actor, such as an external attacker or an insider threat. The goal is often espionage, financial gain, or sabotage.
• Data leakage: This refers to the unintentional exposure of sensitive data, usually due to misconfigurations, human error, or weak security controls. Examples include employees accidentally sending confidential information to the wrong recipient or sensitive files being stored in publicly accessible locations.
• Data breach: A broader term that encompasses both exfiltration and leakage. A data breach occurs when sensitive data is accessed, disclosed, or stolen without authorization. Breaches can result from cyberattacks, insider threats, or accidental leaks.

How does data exfiltration occur?

Data exfiltration can happen through two primary methods: external attacks and insider threats.

External attacks
In an external attack, cybercriminals infiltrate a network to steal sensitive data, often using malware. This malware may be installed on corporate devices such as computers or smartphones, allowing attackers to extract information remotely. These attacks can also involve credential theft, enabling unauthorized access to internal systems.

Insider threats
Insider threats occur when employees—either maliciously or negligently—facilitate data exfiltration. Malicious insiders may intentionally transfer sensitive data to personal email accounts or cloud storage for financial gain or competitive advantage. In contrast, negligent insiders may accidentally expose data by mishandling access permissions or sending confidential information to the wrong recipient.

Types of data exfiltration techniques

There are several ways that attackers commonly exfiltrate data. As attackers look for ways around more advanced security tooling, these methods also evolve. Here are some of the most commonly used data exfiltration techniques:

• Outbound email—used to exfiltrate data from calendars, databases, email, and planning documents. This method can involve attaching documents to emails and sending those emails out or exfiltrating data on email servers that users have legitimately attached.
• Downloads to insecure devices—data is transferred by users from secure, trusted systems to an insecure device. From there, the attacker can infiltrate the device and exfiltrate the data. Insecure devices often include unmanaged devices such as smartphones, cameras, laptops, or external drives.
• Uploads to cloud storage—data can be exfiltrated from cloud storage when data is uploaded to insecure or misconfigured resources. These resources may be purposely misconfigured, by attackers or malicious insiders, or accidentally left exposed to the public. Exfiltration may also occur when employees upload data to personal cloud drives from secure systems.
• Unsecured behavior in the cloud—similar to cloud storage, misconfigurations or lack of security in cloud environments can leave pathways for data exfiltration. Another concern is if excessive access is provided to cloud services connected to data systems. If these services are compromised, attackers can use service permissions to access and exfiltrate data.

Data exfiltration examples: 3 attacks you can learn from

In 2024, several high-profile incidents have underscored the severity of data exfiltration threats.

1. Change Healthcare ransomware attack (February 2024): Change Healthcare, a subsidiary of UnitedHealth Group, suffered a ransomware attack executed by the BlackCat (ALPHV) group. Attackers infiltrated the company’s systems, exfiltrated sensitive data, and deployed ransomware that disrupted operations. The breach led to significant interruptions in healthcare services nationwide, as electronic payments and medical claims processing were halted. UnitedHealth Group estimated the response costs at approximately $2.87 billion in 2024 and paid a $22 million ransom to the attackers.
2. Snowflake data breach (May 2024): In May 2024, cloud data platform Snowflake experienced a significant data breach. Attackers exploited vulnerabilities to access and exfiltrate customer data stored within Snowflake’s infrastructure. The breach raised concerns about the security of cloud-based data storage solutions and prompted a reevaluation of cloud security measures across the industry.
3. AT&T data breaches (2024): AT&T faced two separate data breaches in 2024. In July, cybercriminals stole data containing phone numbers and call records of nearly all AT&T customers, approximately 110 million individuals, over a six-month period. The data was stolen from AT&T’s account with data giant Snowflake. Earlier in March, a breach exposed 73 million customer records, including personal information such as names, phone numbers, and postal addresses. These incidents highlighted vulnerabilities in third-party data storage solutions and the need for stringent security protocols.

These examples illustrate the diverse methods attackers employ to exfiltrate data, from exploiting vulnerabilities in cloud platforms to targeting large corporations’ internal systems. They underscore the critical need for robust security measures, continuous monitoring, and proactive threat mitigation strategies to protect sensitive information from unauthorized access and exfiltration.

How to detect and prevent data exfiltration

Preventing data exfiltration should be a priority for any organization; especially those with sensitive data. Below are a few tools and practices you can use to ensure that your data is and remains as secure as possible.

1. SIEM

System information and event management (SIEM) solutions serve as the foundation of many security strategies. These solutions enable teams to ingest and monitor data from across systems via a centralized dashboard.

SIEM platforms integrate with the various components and tooling in your system to aggregate, analyze and correlate data. If events are determined to be suspicious, the SIEM can alert security teams and provide contextual information for event investigation.

These solutions are particularly helpful for detecting data exfiltration because SIEMs are able to evaluate and identify trends over an extended period. Often, data exfiltration occurs in several smaller events. SIEMs can connect these events together and produce a timeline for teams to investigate.

2. UEBA

User and entity behavior analytics (UEBA) solutions use machine learning to analyze the behavioral patterns of users and devices (entities). With this analysis, solutions are able to create baselines of normal or expected behavior that new events can be compared against. If an event does not match the existing patterns, security teams are alerted and provided contextual information to investigate.

UEBA is particularly useful for detecting and preventing exfiltration because it can identify unusual file access or manipulation. This means that even insiders with valid credentials are detected if they begin exporting or accessing data they aren’t supposed to. You can integrate UEBA with your data loss prevention tools.

3. Strong passwords

Insecure credentials are one of the most common methods attackers use to gain access to a system. These can include default passwords that have not been changed, weak or reused passwords, or passwords that have been inadvertently shared through phishing.

To prevent the abuse of passwords you should make sure that password policies require a certain complexity and that passwords are rotated periodically. You should also consider implementing multi-factor authentication (MFA) which uses a secondary method to confirm a user’s identity.

4. Data encryption

Encrypting your data at-rest and in-transit ensures that only those with the appropriate key are able to access it. Encryption is also a requirement of many regulatory compliance and industry standards.

To keep your data secure, ensure that all data is encrypted whenever possible. If there are times when encryption is not possible, for example in paper documents, extra security precautions should be added.

5. Employee training

Employee mistakes are a frequent weakness leveraged by attackers. Employees may unsuspectingly download malicious files, share credentials through phishing campaigns, or fail to properly secure personal devices.

To avoid these mistakes it is important to periodically train your employees on proper security measures. Make sure that they understand how to identify suspicious sites, documents, and emails. You should also ensure that they know who to report suspicious events to so security teams can take action as soon as possible.

6. Firewall egress filters

Firewalls should be implemented to block unwanted outsiders and prevent the egress of data. Egress filters enable you to ensure that data is transferred according to protocol, over the correct ports and to approved locations. These filters help ensure that even if attackers get in, they are not able to send data out.

7. Endpoint Detection and Response (EDR)

Endpoint Detection and Response tools provide continuous monitoring and threat detection at the endpoint level, helping organizations spot and stop data exfiltration in real time. By analyzing file access, process behavior, and network activity, EDR can detect subtle signs of malicious behavior—such as unauthorized data transfers, use of external drives, or unusual upload activity—before data is lost. These tools offer rich telemetry and investigation capabilities that help teams understand the scope and impact of an incident quickly.

EDR solutions also provide built-in response actions like isolating affected devices, blocking exfiltration channels, or killing malicious processes. When integrated with SIEM or SOAR systems, they enable faster, automated responses and enhance threat correlation across the environment. Ensuring coverage across all endpoints, especially remote or unmanaged devices, is critical for reducing blind spots and keeping sensitive data protected.

8. Network Monitoring Tools

Network monitoring tools play a vital role in detecting data exfiltration by analyzing traffic across the network—something EDR tools may miss since they operate primarily at the endpoint level. Positioned deeper in the network stack and across different OSI layers, network monitoring tools can detect suspicious outbound connections, encrypted tunnels, unusual data transfer volumes, and traffic to unauthorized external destinations—even if that traffic originates from a trusted or unmanaged device.

Because they observe traffic independent of the endpoint, these tools provide visibility into exfiltration attempts that evade endpoint controls, such as data sent over custom ports, non-standard protocols, or from compromised IoT or BYOD devices. When integrated with SIEM or EDR systems, network monitoring offers critical corroborating evidence, enabling faster, more accurate incident response. For best results, ensure all egress points are monitored and that alerts are tuned to flag behaviors indicative of data leakage.

Data exfiltration protection with Exabeam

While DLP tools are valuable for enforcing known data movement rules, they often miss sophisticated attacks that don’t match pre-defined policies. Malicious insiders or advanced attackers can move data in ways that evade static DLP controls. Exabeam extends beyond traditional DLP by combining UEBA, SIEM, SOAR, and threat detection, investigation, and response (TDIR) into a single platform that identifies and correlates subtle indicators of compromise.

With the addition of NetMon, Exabeam gains visibility into lateral movement and outbound traffic across the network—capturing exfiltration attempts that don’t originate from endpoints or are hidden in encrypted tunnels. Sitting at different layers of the OSI model than endpoint tools, NetMon can detect data transfers over suspicious ports or to unauthorized destinations, offering a complementary perspective that’s often invisible to endpoint-only solutions. Combined with behavioral analytics and automated threat timelines, Exabeam correlates activity from users, devices, and the network to surface true threats faster—helping organizations reduce alert fatigue, improve incident response time, and protect against data loss more effectively.

For an example of a next-generation SIEM system with built-in UEBA, which can help prevent data exfiltration, learn more about the Exabeam Security Management Platform.

Want to learn more about DLP?

Have a look at these articles:

• What Is DLP and How to Implement It In Your Organization?
• Data Loss Prevention Policy Template
• Data Loss Prevention Tools
• Security Breaches: What You Need to Know