Occurs in the final phase of an attack, following initial access, persistence, and lateral movement.
What is data exfiltration
Unauthorised transfer of confidential information from an organisation to external entities controlled by attackers.
Why it matters
Data exfiltration is critical from multiple perspectives: Regulatory impact: Under GDPR, CCPA, NIS2 and other regulations, loss of personal or operational data mandates notification to authorities and affected customers. Reputational damage: Publication of confidential data affects customer and stakeholder trust. In some cases, it is irreversible. Extortion and double extortion: In modern ransomware attacks, the attacker steals data first, then encrypts systems. If the victim doesn't pay ransom, they publish the data. Competitive disadvantage: Theft of trade secrets, strategic plans, or research data directly benefits competitors. Direct financial costs: Notification to affected parties, insurance, forensics, litigation, and regulatory fines are catastrophic costs for many organisations.
Key points
Can be performed via FTP, SFTP, HTTP/HTTPS, DNS tunnelling, cloud protocols (S3, Azure Blob), email, legitimate tools (RDP, Outlook), etc.
Often goes unnoticed for weeks because outbound traffic is difficult to analyse and can appear legitimate.
Data can be compressed, encrypted, or fragmented, making identification via content inspection difficult.
Once exfiltrated, data is beyond the organisation's control. Recovery is impossible; containment is limited to preventing further exfiltration.
Data exfiltration example in the real world
A cybercrime group steals access to a pharmaceutical company through compromise of an externally accessible email server. After establishing persistence, the attacker: The organisation discovers the exfiltration 45 days after it began, when a researcher detects anomalous PowerShell processes. But by then, the data is public and multiple third parties have downloaded it.
Common mistakes
- Knowing someone tried to copy a file doesn't prevent them from doing it. Granular access control is required (DLP, SIEM, behavioural analysis).
- If the network is secure but internal servers have no audit, data can be stolen without detection from within.
- Many organisations have excellent inbound visibility but total outbound blindness. This is a critical error.
- Without knowing where critical data resides, it's impossible to protect it specifically. The attacker will find valuable data.
- PowerShell, WinRAR, native FTP tools, Outlook—the attacker uses what already exists. Antivirus doesn't detect them.
Related services
This concept may be related to services such as:
Frequently asked questions
What is the difference between a data leak and data exfiltration?
A data leak can be accidental (an employee sends a file by mistake). Exfiltration implies deliberate intent: an attacker or insider who extracts data in a planned manner for personal or financial gain.
How is data exfiltration detected?
Through outbound traffic monitoring, user and entity behaviour analytics (UEBA), DLP tools, protocol inspection and SIEM event correlation. Detection requires visibility at both network and endpoint level.
Which regulations require notification after exfiltration?
GDPR requires notification to the authority within 72 hours if personal data is affected. NIS2 applies to essential and important entities. DORA covers financial institutions. Local data protection authorities supervise compliance.
Can data exfiltration be completely prevented?
Not 100%, but the risk can be drastically reduced with network segmentation, granular access control, outbound traffic monitoring, DLP and rapid response to indicators of compromise.