What Is Data Exfiltration? The Definitive Guide to How Attackers Steal Your Data

Data Exfiltration Defined

Data exfiltration is the unauthorised movement of data from inside an organisation's network to an external location controlled by a threat actor. It is distinct from a data breach in an important way: a breach is the event in which security is compromised, while exfiltration is the specific act of moving data out. Exfiltration can happen in seconds or over months, depending on the attacker's objectives. Nation-state actors may siphon data slowly to avoid detection, while ransomware groups exfiltrate as much as possible before deploying encryption. The common thread is that once data leaves your perimeter, you have lost control permanently.

Common Data Exfiltration Methods

Attackers have developed a wide range of techniques to move data past security controls undetected. Many of these methods exploit protocols and services that organisations allow by default, making them exceptionally difficult to catch with traditional perimeter defences. Understanding each method is essential for building a layered defence strategy.

• DNS tunneling: encodes stolen data within DNS queries and responses, exploiting the fact that DNS traffic is rarely inspected by firewalls or IDS systems
• Encrypted HTTPS channels: exfiltrates data over standard HTTPS connections to attacker-controlled servers, blending in with legitimate web traffic
• Command-and-control (C2) callbacks: malware establishes persistent outbound connections to C2 infrastructure, streaming data out in small, regular bursts
• Cloud storage abuse: uploads stolen files to legitimate services like Google Drive, Dropbox, or OneDrive — traffic that most security tools whitelist by default
• Steganography: hides data within image files, audio files, or video files, making exfiltration invisible to content inspection tools
• Email-based exfiltration: attaches sensitive data to outbound emails or uses compromised email accounts to forward data to external addresses
• Physical media: USB drives, external hard drives, or even mobile phone cameras used by malicious insiders to bypass network-level controls entirely

Why Data Exfiltration Matters More Than Ever

The economics of cybercrime have shifted decisively toward data theft. Ransomware groups discovered that encrypting data alone was not enough — organisations with good backups could recover without paying. By exfiltrating data first and threatening to publish it, attackers created a second pressure point that backups cannot solve. This double-extortion model now dominates the ransomware landscape. Beyond ransomware, stolen data feeds identity theft, corporate espionage, competitive intelligence gathering, and regulatory manipulation. The average cost of a data breach reached $4.88 million in 2024 according to IBM, and regulatory fines under GDPR can reach 4% of global annual revenue.

Real-World Data Exfiltration Examples

The MOVEit Transfer vulnerability (CVE-2023-34362) exploited by the Cl0p ransomware group resulted in data exfiltration from over 2,600 organisations including Shell, British Airways, the BBC, and multiple US government agencies. Cl0p never encrypted a single file — they exfiltrated data and threatened publication. The SolarWinds attack saw nation-state actors exfiltrate sensitive government data over nine months before detection, using DNS-based communication channels. The MGM Resorts breach in 2023 involved exfiltration of customer personal data before ransomware deployment, contributing to over $100 million in total losses. These incidents demonstrate that exfiltration is the core objective, not a side effect.

How to Detect and Prevent Data Exfiltration

Traditional security tools were not designed to stop data leaving your network — they were designed to stop threats entering it. Firewalls inspect inbound traffic. Antivirus scans for known malware signatures. EDR monitors endpoint behaviour for signs of compromise. None of these tools are specifically architected to identify and block unauthorised outbound data transfers in real time. Effective exfiltration prevention requires monitoring all outbound traffic at the device level, applying AI-driven behavioural analysis to identify anomalous data transfers, and blocking suspicious outbound connections before data reaches its destination. This is exactly the capability that Anti Data Exfiltration (ADX) technology provides.

Frequently Asked Questions