What is data exfiltration?
Data exfiltration is the actual theft of information: the moment an attacker transfers data from the victim's environment to a system they control. It usually occurs late in the attack chain, once access is gained and sensitive data located.
Long a quiet step, exfiltration has become central with double extortion: attackers steal the data before encrypting it, so they can threaten to publish it even if the victim has backups.
Why it matters for your organization
Exfiltration turns a technical incident into a crisis with lasting consequences: notification obligations, reputational harm, loss of competitive advantage, regulatory penalties tied to data protection. Unlike systems you restore, stolen data cannot be "taken back".
It is also what gives attackers powerful leverage. Even a well-backed-up organization remains vulnerable to the threat of its sensitive data being disclosed.
How to reduce the risk
- Data classification: know where sensitive information lives.
- Access control and least privilege to limit what is reachable.
- Outbound flow monitoring: abnormal volumes, destinations, timing.
- Data loss prevention (DLP) on critical channels.
- Segmentation to make gathering large volumes harder.
Where organizations most often fall short
The most common pitfall is focusing defense on the entry (preventing intrusion) while neglecting the exit (preventing data from leaving). Without outbound monitoring, exfiltration can unfold over days with no alert. The other mistake is not knowing where sensitive data actually resides, which makes any targeted protection impossible.