Skip to content
FortaRisks
Back to the glossaryAttacks and incidents

Data exfiltration

Data exfiltration is the unauthorized transfer of information out of an organization's systems by an attacker. It is often the final objective of an intrusion and the core of modern double-extortion attacks, where stolen data becomes blackmail leverage.

Updated on July 2, 2026

What is data exfiltration?

Data exfiltration is the actual theft of information: the moment an attacker transfers data from the victim's environment to a system they control. It usually occurs late in the attack chain, once access is gained and sensitive data located.

Long a quiet step, exfiltration has become central with double extortion: attackers steal the data before encrypting it, so they can threaten to publish it even if the victim has backups.

Why it matters for your organization

Exfiltration turns a technical incident into a crisis with lasting consequences: notification obligations, reputational harm, loss of competitive advantage, regulatory penalties tied to data protection. Unlike systems you restore, stolen data cannot be "taken back".

It is also what gives attackers powerful leverage. Even a well-backed-up organization remains vulnerable to the threat of its sensitive data being disclosed.

How to reduce the risk

  • Data classification: know where sensitive information lives.
  • Access control and least privilege to limit what is reachable.
  • Outbound flow monitoring: abnormal volumes, destinations, timing.
  • Data loss prevention (DLP) on critical channels.
  • Segmentation to make gathering large volumes harder.

Where organizations most often fall short

The most common pitfall is focusing defense on the entry (preventing intrusion) while neglecting the exit (preventing data from leaving). Without outbound monitoring, exfiltration can unfold over days with no alert. The other mistake is not knowing where sensitive data actually resides, which makes any targeted protection impossible.

Frequently asked questions

How do attackers exfiltrate data without being spotted?

By blending into normal traffic: transferring to legitimate cloud services, encrypting the stolen data, splitting it into small volumes, or using covert channels such as DNS. The goal is to avoid triggering an alert on a spike or an unusual destination.

How do you detect data exfiltration?

By monitoring outbound flows: abnormal volumes, unexpected destinations, transfers at unusual hours, mass access to sensitive data. Data loss prevention (DLP), segmentation and access control also reduce an attacker's ability to gather then extract large volumes.

See your real risk in a 30-minute demo.

A member of our team walks you through FortaRisks on threats relevant to your sector. No chatbot.