How to Prevent Data Exfiltration Incidents

data exfiltration
Share article
twitter linkedin medium facebook

Customers entrust their data to you and regulators require you to keep it safe. Bad actors want to take it from you, and some may be interested in stealing your proprietary business secrets, too. In both cases, if they copy or move it to their own storage devices, this becomes a case of data exfiltration, and it’s something that can damage your business, and cost you in huge regulatory penalties, reputation loss, and compensation claims. In this article, we look at what it is, some notable examples, and what you can do to prevent it.

What is data exfiltration?

We’ve all heard of infiltration, and exfiltration is the opposite. Data exfiltration is data theft, and it’s something that can happen after a data leak or data breach has taken place. Since you may have seen these three terms being used interchangeably, let’s begin by establishing the difference between them:

  • Data leak: This is when sensitive data is accidentally exposed to unauthorized access.
  • Data breach: This is when sensitive data is deliberately exposed to unauthorized access.
  • Data exfiltration: This means moving or copying the exposed data to a storage device that the attacker controls.

So, data leaks and data breaches provide the means of access, and data exfiltration is the act of moving sensitive data off the premises. Organizations across all sectors hold sensitive information about their businesses, their clients, customers, and employees, and once they have it, cybercriminals can often find a ready market for it on the dark web or hacker message boards. For example, the details for one stolen credit card with a $5000 limit could be worth $110, but many other types of data are saleable too, including proprietary business information, medical records, passport details, and driver’s licenses.

Sometimes data exfiltration isn’t the point of the attack, but it happens anyway because it’s used as a tactic. In ransomware or DDoS attacks, for instance, bad actors aim to cause maximum disruption, their thinking being that if they can cripple the victim’s operations, they will pay to get it back. This happened when the Health Executive of Ireland was hit by a ransomware attack in 2021. The criminal gang responsible released 520 patient records on the Internet to pressure the organization into paying the ransom, the threat being that if they didn’t, the attackers would release even more.

Data exfiltration examples: a timeline of incidents

We could probably list hundreds of data exfiltration incidents from the past few years, but here are a select few:


Many organizations in the public and private sectors use file transfer provider MOVEit to transmit sensitive personal data, but in June 2023, the company suffered a huge attack. Estimates of the number of people affected range from 60 million to around 94 million, and one estimate puts the overall cost at around $9.9 billion. From the perspective of these customer organizations, this was a supply chain attack, and it was carried out by the Russian-linked ClOp cybergang. It exploited zero-day vulnerabilities in the MOVEit application to perform SQL injection on public-facing servers to access sensitive data.


Appointment management business FlexBooker was hacked by a group called Uawrongteam at the start of 2022. The data exfiltration included ID information, driver’s licenses, and passwords for three million users that was then offered for sale on popular hacking message boards. The attack was doubly damaging because it was said to be unsophisticated, and the company lost customers as a result.


In May, the DarkSide criminal organization stole 100GB of data from Colonial Pipeline. The next day they launched a ransomware attack on the company and threatened to make the stolen data public. The attack shut down the 5,500-mile (8,900-km) pipeline which carries 2.5 million barrels a day, or 45% of the East Coast’s fuels to 50 million Americans. As a result, the company reportedly paid $4.4 million to end it.

In December, T-Mobile announced a breach affecting the personal details of 76.6 million customers. It agreed to pay $350 million to settle a related class action lawsuit and a further $150 million to upgrade its cybersecurity. The company has suffered 8 hacks since 2018.

In January the Accellion Software supply chain attack affected hundreds of companies, mostly in the healthcare sector, and around 9.2 million individuals. The attackers exploited several unpatched, zero-day vulnerabilities in Accellion’s File Transfer Appliance software. This allowed them to infiltrate connected client networks and steal large amounts of personal and protected health information.

Numerous Accellion clients began receiving extortion emails with threats to leak the stolen data, and some of it was leaked online. Accellion paid victims $8.1 million to settle a class-action lawsuit. The suit claimed it the company had failed to employ adequate security, failed to detect the vulnerabilities behind the exploit, and failed to disclose that its data security practices were inadequate.

In April, personal data related to 533 million Facebook users was found online. The company has experienced around 20 publicly acknowledged data breaches since 2012, and it paid out $725 million to settle a class-action lawsuit in respect of one of them, the Cambridge Analytica data scandal.


In September, MGM Resorts was hacked and personal data such as names, phone numbers, and passport numbers for 10.6 million customers was stolen. It cost the company $110 million, including $10 million in one-time cleanup fees.

In June, Twitter suffered a Bitcoin scam attack, compromising high-profile accounts and exposing some user data.


In December, First American Financial suffered a massive data breach exposing real estate documents and the personal information of millions.

Capital One suffered a data breach affecting over 106 million customer accounts, with credit card applications and customer information being stolen. The resulting class-action lawsuit brought by US victims cost the company $98 million.


In February, an Under Armor data breach compromised the usernames and email addresses of over 150 million MyFitnessPal user accounts. Payment card data wasn’t affected, but the exposed data had been scrambled with an older hashing algorithm called SHA-1, so it was easier for the criminals to decipher. This underlines the need to use the latest encryption technologies when protecting sensitive data.

In September, a Quora data breach exposed the personal information of over 100 million users. Passwords, full names, email addresses, data imported from linked networks, and various non-public actions and messages were stolen.


In September, one of the ‘big four’ accounting firms, Deloitte suffered a data breach affecting multiple clients. The ClOp gang duped an employee into clicking a link in a phishing email that gave them access to the company network. This allowed them to access bank account and credit card numbers, usernames, passwords, and other details belonging to the firm’s employees, and 350 clients, including U.S. government agencies and large corporations. Astonishingly, the compromised server did not have two-factor authentication in place at the time of the breach.

In October, an Equifax data breach affected over 147 million Americans, exposing their Social Security numbers and other sensitive data. The company agreed to a settlement that included up to $425 million for affected users.

Interestingly, none of the stolen data ever found its way onto the dark web. The breach was believed to have been an intelligence gathering operation orchestrated by the Chinese government, in an alleged effort to create a ‘data lake’ of information about millions of Americans that could be exploited in the future for espionage purposes.

Equifax spent $1.4 billion on upgrading its lax security following the incident.


In September, Yahoo revealed that a data breach had occurred in 2014 that affected 500 million users. Then in December, the company revealed that a separate breach had taken place in 2013. It initially said that 1 billion users had been exposed, but it later revised the figure to 3 billion. Stolen data included sensitive account information, including security questions.

Data exfiltration prevention: best practices

Access Control

Use the principle of least privilege: This is the idea that you should only give employees access to the tools and spaces (both physical and virtual) that they need to perform their given roles, and anything beyond these should be restricted.

Regularly review and revoke access: Leading on from this, you should put systems in place to revoke access for users who no longer require it, such as contractors, vendors, and ex-employees. This should also be applied to current employees whose need for access changes when they change roles.

Multi-factor authentication (MFA): This is an extra layer of security that works by requiring additional steps after passwords. It works by asking the user for more than one piece of information before they are allowed access to a system. For instance, after entering a password, they might be asked to enter a code delivered to them via SMS text. It’s a simple but effective approach that could have saved Deloitte a lot of trouble.

Monitor user activity: Look for suspicious activity that might point towards unauthorized access attempts.

Data Encryption

Encrypt data both in transit and at rest to protect it regardless of location.

Use strong encryption algorithms with proven strength and industry-standard protocols. Under Armor would have benefited from applying this advice.

Manage encryption keys securely by using best practices for redundancy, access control, and key rotation.

Endpoint Security

Use endpoint security solutions such as antivirus, anti-malware, and complete visibility solutions such as Reflectiz.

Patch vulnerabilities promptly: Regularly update software and firmware on all devices. The latest versions often close security holes, so these should always be installed without delay.

Restrict removable media usage: Implement policies and controls to limit and monitor the use of all such portable storage devices.

BYOD: use a ‘bring your own device’ policy to define the limits of acceptable usage for employees’ own IT equipment. For instance, you might allow them to use their own devices to connect to corporate networks provided they use your approved VPN, security software, and work-related apps.

Incident Response Planning

Develop a clear incident response plan: Define how your organization will respond to data exfiltration incidents, including containment, investigation, and notification.

Test and update your plan regularly: Regularly test and update your incident response plan to ensure that it is effective.

Practice data backup: Have a reliable data backup and recovery plan in place to reduce the downtime and data loss that follows an incident.

Network Monitoring

Identify malicious and unusual network traffic: Use network monitoring tools to identify and investigate unusual network traffic that could indicate data exfiltration. Reflectiz continuous monitoring can be used to spot such out-of-the-ordinary events.

Security Awareness Training

Educate employees on data security: Regularly train employees on cybersecurity best practices, phishing awareness, and recognizing suspicious activity. Such training will need to include the recent rise of AI-generated deep fakes in social engineering attacks.

Simulate phishing attacks: Conduct regular phishing simulations to test employee awareness and identify opportunities for improvement.

How Reflectiz Can Help

The kind of data exfiltration incidents we have described begin with data leaks and breaches, and Reflectiz continuous monitoring is an effective solution for defending your organization against both. It analyses your entire digital ecosystem to establish a baseline for permitted behaviors, then monitors for changes, and alerts you to any suspicious activities.

Reflectiz gives your privacy and legal teams detailed reports of who is accessing data items and how they process that data, who is tracking your users’ activity without cookie consent, obtaining users’ geographical locations, using their cameras and microphones without consent, recording user inputs, and more.

Reflectiz helps you protect the data in your care by quickly identifying what sensitive information your connected apps can access, and where they are sending it. It also protects your organization from web skimming and Magecart attacks, and it delivers all its insights and alerts via an intuitive interface that doesn’t overwhelm the user.

Avoid data exfiltration and the financial penalties that come with it. Sign up with Reflectiz today to experience the ultimate in data exfiltration protection.

Take control

Stay up to date with the latest news and updates

Your Website looks great!

But what’s happening behind the scenes?

Discover your website blind spots and vulnerabilities before it’s too late!

Try for free