Skip to content

What is Data Exfiltration? Definition, How to Prevent It & More

Employee exfiltrating data from their company laptop.

Enabling remote and hybrid work and combating the Great Resignation have fundamentally changed the way that work gets done. On one hand, organizations have adopted new technology to empower their employees’ productivity and collaboration. On the other hand, employees have rejected the concept of a monitored, consecutive-hour workday and are accustomed to working how and where they want. They demand flexibility in the tools they use, and they feel more ownership over their tasks. 

The very nature of these changes has also put companies at greater risk of data exfiltration. Add in complexities like more collaboration tools, a volatile workforce, and an increase in growth or innovation, and the scope, volume, and impact of data exfiltration risk only increases.

In this piece, we’ll define data exfiltration, share examples of it in practice, and explain how to detect and prevent it.

What is data exfiltration?

Data exfiltration is the unauthorized removal or movement of any data from a device or network. Also known as data exportation, data leakage, or data extrusion, data exfiltration can lead to data loss and cause immense damage to an organization’s reputation and revenue. 

The same cloud-based technologies and hybrid or remote work models that help companies thrive also put them at risk of data exfiltration via insider threats in particular. One recent report found that over the span of five business quarters, the number of events in which insiders move company files to untrusted locations via methods like email, chats, cloud, etc., averages anywhere from six to 34 times per user, per day.

2023 Data Exposure Report

CISOs rank insider threat as the most difficult threat to detect

Download Report

Types of data exfiltration

Given the significant repercussions data exfiltration can have on an organization, it’s important to be able to understand all of the different ways in which it can occur. 

You can break data exfiltration into two categories: external attacks and insider threats. External attacks happen when a cybercriminal penetrates an organization’s network and data. Often, external attacks occur via malware or phishing. Sometimes malware can do its damage quickly after being introduced into a system, using attack vectors (like phishing) or payloads (like worms) to do things such as steal info or create botnets. Other times malware can  silently collect massive amounts of confidential data using payloads like dormant code or logic bombs.

Insider threats, on the other hand, stem from employees, contractors, third parties, or others with legitimate system access. Insider Risk occurs when any data exposure—regardless of type of data or user intent—jeopardizes the well-being of an organization and its employees, customers, or partners. The intent of these insider threats are often accidental or negligent: inadvertently synching work documents with a personal iCloud account; using whatever tools employees want to get the job done regardless of whether they’re approved; or simply sharing cloud files with the wrong folks or making them public.  

Indeed, a 2022 report that surveyed business leaders, cybersecurity leaders, and cybersecurity practitioners found that up to 55% of respondents were concerned about employees becoming lax in their cybersecurity practices—a phenomenon that leads to negligent actions like the ones listed above. 

While they make up a much smaller portion of activity, insider threats can also be malicious, and malicious actors often cause breaches: spying for foreign nationals, changing file names and extensions to obfuscate the value of data being moved, or taking data to get a leg up on a new role.

Security infrastructure is generally set up to handle adversarial threats, especially those that originate from external actors. But when it comes to data exfiltration, insiders can be a more significant concern. Given both the workflows at many businesses and human nature, some causes of insider breaches are more common than others. Although the list below is not exhaustive, it includes types of data exfiltration that organizations are most likely to encounter.

Non-secure cloud app behavior

While cloud technology and tools have enabled new ways of working, they’ve also intensified the scale and impact of data exfiltration. To that end, 71% of cybersecurity professionals surveyed in the 2022 report mentioned earlier are worried about sensitive data saved on local machines/personal hard drives and/or personal cloud storage and services.

Some of the most common behaviors that center around cloud apps in particular include: 

  • Using untrusted personal devices to log into corporate cloud apps
  • Making private cloud links publicly available
  • Downloading corporate data via cloud app to a home device
  • Using unsanctioned clouds (usually personal clouds) to share data with 3rd parties and colleagues

Every time an authorized user performs one of these actions, they put your data at risk.


When 319 billion emails are sent each day, it’s no surprise that some of them might be involved in data exfiltration. Many employees end up using their personal email or personal file hosting services to send or store confidential work documents. This movement can be out of convenience or it might stem from more nefarious motivations, but even emailing a work document to and from a personal Gmail, for instance, can have destructive consequences— whether employees know it or not. Most cybersecurity tools cannot distinguish between personal and corporate Gmail, because once a domain is whitelisted, it’s nearly impossible to blacklist every possible iteration of that domain.

Human error

A significant amount of data exfiltration is also caused by human error. Employees inadvertently expose data when they do things like accidentally connect an iPhone to a corporate device or share a private link to a public Slack channel. Although employees may not do these things on purpose, the resulting data exposure can be impactful. Thankfully, situational, right-sized, right-time training can help prevent these occurrences.

Uploads to browsers

When working remotely, employees may upload company data to websites or clouds that aren’t IT-approved. But shadow IT can be dangerous; with no way to turn-off employee access upon departure, and an inability to monitor what happens when data reaches that browser destination and beyond–seeing untrusted browser uploads as they happen is critical.

Downloads to untrusted devices

There could be many reasons why an employee would want to download company data and put it on their phone, tablet, or personal laptop. An employee may download a list of prospects to meet with at a conference, or they may download a report from Salesforce because they are taking that sales list to a competitor. But no matter the intent, downloading data to untrusted devices moves it to untrusted locations that are outside of your domain, causing a breach.

How to detect data exfiltration

Even when you know what data exfiltration looks like in all its forms, it’s challenging to detect. Because there are so many methods by which data exfiltration can occur, it’s near-impossible to categorize and prevent. Below, we examine a few ways analysts and software can work in tandem to identify and stop data exfiltration.

Monitor file activity

Typically, networks act as a natural filtration system, accepting or rejecting attempts to access data. But now that most employees and contractors are working in various locations, the majority of activity is taking place off-network. And outdated VPN technology notoriously brings business to a crawl.  Instead,  analysts are recognizing the end of traditional perimeters and using software to continuously validate trust and/or monitor data movement directly.

Tools that automatically surface metadata so you can see how files are moved and shared across your entire organization—and most importantly, when they move outside of trusted environments–are aligning security methodologies with workforce changes. 

This bird’s eye view of data exposure allows security analysts to distinguish between normal activity and suspicious activity that could warrant a quick response.

Know who has authorized access to data

Data exfiltration gets even more difficult to detect when authorized personnel are the ones leaking that information. That’s why security teams should know who has permission to access sensitive data and continually monitor accounts for changes in behavior. But keeping an up-to-date list isn’t so simple. Authorized users are likely constantly changing, with new employees joining the company and others leaving. Analysts can better judge the risks associated with user activity by using software specifically designed to integrate with Privileged Access Management [PAM] and HR systems to automatically refresh the list of authorized users and pick up on shifts in their behavior.

Respond accordingly to potential threats

Detecting data exfiltration is only the first step in addressing an attack. Once your security team identifies a threat, they must assess the event’s severity, trace its root cause, and contain any damage. With those details in mind, they can put together a mitigation plan that stops the negative impact of data loss on the organization. Of course, this doesn’t mean they can take their time. Security teams must act swiftly to stop data exfiltration at its source and recover sensitive information as soon as possible.

How to prevent data exfiltration

Many businesses use Data Loss Prevention (DLP) software to protect their data against exfiltration, but this methodology can fall short. In order to implement a DLP, companies must set rules that help the system identify sensitive data, block file activity, and send alerts.

But that means that your DLP solution is only as good as the rules you set. Sometimes rules can be too sensitive, triggering false alerts that take time and attention away from real threats—and force your security team to needlessly interrupt the workflow of other teams. Other times rules can be too specific, missing potential threats entirely. To comprehensively combat data exfiltration, you need to: 

  • Offer visibility and context – Organizations need comprehensive visibility into their data exposure and which activities require security intervention. That means closely monitoring computers, cloud applications, and email providers to fully evaluate potential risk.

  • Prioritize greatest risks – Companies are constantly bombarded by risks of data exfiltration, but not all of those risks are created equal. The right tools can help security teams identify the events and users that pose the greatest danger and prioritize their responses accordingly.

  • Generate an aligned response – Your security analysts need to use their limited time and resources wisely. Ideally, they’ll have access to software that allows them to orchestrate a combination of human and technical responses that are aligned with the severity of the event and situational context.

  • Optimize a positive user experience – The best Insider Risk software gives companies a holistic picture of data exposure at their organization by measuring and improving risk posture一without infringing on the employee experience.

  • Offer user training for employees – One of your best protections against data exfiltration is your employees. So teach them what steps they can take to keep your company’s data and your customers’ data safe. Leading Insider Risk platforms have built-in features to facilitate employee training, encourage proper use of their tools, and share information securely.

Keep your data and IP safe

Workforce volatility has drastically changed the way companies and employees work, and the threat landscape has changed along with it. With Insider Risk and data exfiltration on the rise, your company’s IP is at risk. 

Code42 Incydr minimizes the risk of data exfiltration from insider threats by giving security teams the visibility, context, and controls they need to stop data leaks—without slowing your business down. Its cross-platform agent and Incydr Exfiltration Detectors identify when files move outside your trusted environment. Incydr also prioritizes your highest-risk employee activity using more than 60 contextual Incydr Risk Indicators (IRIs), allowing you to programmatically protect data and speed investigations when files are most likely to be put at risk, such as during employee departure. 

Learn more about the value of Incydr yourself by checking out product demos today.

Why you need to monitor Salesforce for data exfiltration

Read Blog

You might also like: