Data exfiltration is the unauthorized transfer of your data out of your device or network—quietly slipping customer records, passwords, designs, or finances to an attacker. It’s the punchline of many breaches: get in, get data out, cash in.
Stolen data fuels identity theft, fraud, and extortion (including “double-extortion” ransomware). Even small leaks can trigger fines, lost customers, and public trust damage.
Malware & ransomware: plant stealers, then zip and send files out.
Phishing & social engineering: trick users into uploading or sharing.
Abused access: compromised accounts, API tokens, or misconfigured cloud storage.
Covert channels: HTTPS to look legit, DNS/HTTP beacons, cloud drives, or personal email.
Repeated outbound connections to odd domains/IPs, especially at night
Sudden spikes in upload traffic or big archives leaving the network
New mail forwarding rules, unknown OAuth app connections
Security tools disabled, or logs conveniently missing
Isolate affected systems; preserve logs and memory—don’t wipe yet.
Block destinations (domains/IPs/accounts) and kill suspicious sessions/tokens.
From a clean device, rotate credentials and keys (admins, APIs, cloud).
Start scope & impact: what data, whose data, how much, and when.
Engage IR/Sec and notify stakeholders; follow legal/regulatory steps.
MFA everywhere; least-privilege access and regular access reviews.
Patch fast on internet-facing apps; monitor endpoints with EDR.
Encrypt sensitive data at rest and in transit; disable public buckets/shares.
Egress controls: DNS filtering, proxy allowlists, DLP rules for uploads and email.
Detect early: alerts for large downloads, mass file access, new forwarders/OAuth apps.
Train people: verify unusual data requests out of band; beware of urgent “executive” asks.