Businesses across all sectors, from finance to healthcare, hold valuable company data and intellectual property relating to their operations, employees, and customers. But this data has become a prime target for bad actors, including cybercriminals and malicious insiders who are constantly finding new ways to steal it for profit or harm.
For example, popular personal genomics company, 23andMe, recently fell victim to a massive data breach that exposed the genetic information and profiles of nearly 6.9 million users [*]. Why and how this happened remains unknown.
But what we do know is that these data exfiltration attacks typically come in two ways:
- Attacks from within i.e., insider threats (like employees misusing their access or sheer negligence); and
- Attacks from outside your organization (think cybercriminals and competitors using different methods to breach your defenses).
And they’re getting more creative by the day – from credential stuffing to social engineering attacks, the methods are evolving faster than many businesses can keep up with. Even more troubling, most companies take about 277 days to spot and stop a data breach [*].
In this guide, we’ll walk you through 20 real-world examples of data exfiltration that showcase just how creative and determined these attackers can be. More importantly, we’ll show you exactly what to look out for to keep your organization’s data where it belongs – safe and secure.
Data Exfiltration Examples by Insiders
Data exfiltration by insiders occurs when an employee, contractor, or partner misuses their access to sensitive information and shares it with external entities.
This can be deliberate, driven by motives like financial gain, revenge, or competitive advantage, or accidental, resulting from negligence or poor security practices. Insiders are particularly dangerous because they often possess the access, knowledge, and technical expertise to bypass existing security solutions or protocols.
Here are some notable examples of data exfiltration incidents:
1. Alibaba: Developer’s Unauthorized Data Scraping
Between November 2019 and March 2020, a developer working for an affiliate marketer scraped over 1.1 billion pieces of user data from Alibaba’s Taobao shopping website. Using crawler software, the developer collected usernames and mobile numbers, intending to use the data for marketing purposes [*].
2. Apple: Theft of Trade Secrets by Former Employees
In 2022, Apple accused startup Rivos of hiring former employees who took gigabytes of confidential SoC (System on Chip) information before leaving Apple. The employees used encrypted messaging platforms to discuss plans for exfiltrating data and to avoid detection. Additionally, others allegedly used external storage devices and personal email accounts to transfer Apple’s proprietary files [*].
3. Pfizer: Employee’s Unauthorized Data Transfer
In 2021, Pfizer reported a significant insider breach involving an employee who exfiltrated confidential COVID-19 vaccine-related documents. Chun Xiao Li was accused of transferring over 12,000 sensitive files to her personal devices without authorization during her employment.
These files included critical data such as clinical trial results, regulatory submissions, internal presentations, and business strategies. Pfizer discovered the breach when Li tendered her resignation and attempted to join a competitor [*].
4. Unnamed Company: North Korean Insider Threat
In October 2024, an unnamed company hired an IT remote contractor. The worker initially appeared to be a legitimate contractor, providing software development and IT services.
However, investigations later revealed that the contractor was part of a larger operation linked to North Korea’s state-sponsored hacking activities, specifically aimed at generating revenue through cybercrime.
During their employment, the worker accessed and exfiltrated sensitive corporate data, including proprietary project files, internal communication logs, and potentially customer information.
After their dismissal, the individual demanded a six-figure ransom in cryptocurrency, threatening to release the stolen data publicly or sell it to competitors [*].
5. First Republic Bank: Former Engineer Erases Critical Data After Termination
In 2023, Miklos Daniel Brody, a former cloud engineer at First Republic Bank (FRB), was sentenced to two years in prison after sabotaging the company’s systems following his termination. However, after his dismissal, Brody retained his company-issued laptop and used it to access the organization’s network without authorization.
During this time, he deleted critical code repositories, emailed himself proprietary code, and inserted taunting messages into the codebase. His actions caused significant operational disruptions and financial losses of over $220,000 [*].
6. New York Credit Union: Fired Employee Deletes 21GB of Data in Revenge
In May 2021, Juliana Barile, a former part-time employee of a New York credit union, retaliated after her termination by deleting over 21 gigabytes of critical data.
Despite her dismissal, her access credentials were not immediately revoked, allowing her to log into the credit union’s server remotely.
Over 40 minutes, Barile deleted 20,000 files and 3,500 directories, including mortgage loan applications and anti-ransomware software documentation [*].
7. Cash App: Former Employee Steals Data of 8.2 Million Users
In December 2021, a former employee of Block Inc., the parent company of Cash App, accessed sensitive reports containing the personal information of 8.2 million U.S. Cash App Investing users.
The exfiltrated data included full names, brokerage account numbers, portfolio values, holdings, and trading activities. Block Inc. discovered the unauthorized access months later and alerted affected users, law enforcement, and regulatory bodies [*].
8. Avaya: Sysadmin Exploits Access to Sell Illegal VoIP Licenses
In June 2022, Brad Pearce, a former system administrator at Avaya Holdings Corporation, exploited his privileged access to illegally generate and sell VoIP software licenses for the company’s IP Office telephone system.
Pearce collaborated with Jason Hines, a de-authorized reseller, to distribute these licenses globally at prices far below market value. To conceal his actions, Pearce hijacked former employees’ accounts to create additional licenses, resulting in an estimated $88 million in financial losses for Avaya [*].
9. Proofpoint: Former Executive Accused of Stealing Proprietary Company Information
In July 2021, Samuel Boone, a former Director of National Partner Sales at cybersecurity firm Proofpoint, was accused of stealing proprietary company information before leaving to join competitor Abnormal Security.
According to Proofpoint, Boone accessed sensitive internal documents, including a “battlecard” outlining strategies to compete with Abnormal Security, and transferred them onto a USB drive. This alleged act of data exfiltration occurred shortly before Boone’s resignation [*].
Recommended → Proofpoint vs. Teramind: Which ITM Software Reigns Supreme?
10. Tesla: Former Employees Leak Confidential Data to German News Outlet
In May 2023, Tesla discovered that two former employees had leaked approximately 100 GB of confidential data to the German newspaper Handelsblatt.
The compromised information, dubbed the “Tesla Files,” included personal details of over 75,000 current and former employees, such as names, addresses, phone numbers, email addresses, and Social Security numbers [*].
Recommended → The Top 9 Data Exfiltration Prevention Solutions in 2024
Data Exfiltration Examples by Outsiders
While insider threats leverage internal access to exfiltrate sensitive data, outsider exfiltration involves individuals or groups external to an organization targeting weaknesses in its defenses. These attackers often employ advanced tactics such as phishing, malware deployment, or exploiting software vulnerabilities to gain unauthorized access to data.
Here are some notable examples of malicious actors:
11. Atlassian: Confluence Zero-Day Vulnerability (CVE-2023-22515) Exploited
In October 2023, threat actors exploited a previously unknown vulnerability (CVE-2023-22515) in Atlassian’s Confluence Data Center and Server.
This critical flaw allowed unauthenticated attackers to create unauthorized administrator accounts, granting them full access to Confluence instances.
The Cybersecurity and Infrastructure Security Agency (CISA) added this vulnerability to its Known Exploited Vulnerabilities Catalog, anticipating widespread exploitation across both government and private networks. Organizations were urged to apply patches promptly to mitigate the risk [*].
12. Progress Software: MOVEit Transfer SQL Injection Vulnerability
In May 2023, the Cl0p ransomware group exploited a critical SQL injection vulnerability (CVE-2023-34362) in MOVEit Transfer, a managed file transfer solution by Progress Software. This zero-day vulnerability allowed attackers to deploy a web shell named “LEMURLOOT,” facilitating unauthorized access to MOVEit Transfer databases.
The breach led to the exfiltration of sensitive data from numerous organizations, including government agencies and private companies. Notable victims included the BBC, British Airways, and the U.S. Department of Energy. The attackers demanded ransoms, causing significant operational disruptions and financial losses [*].
13. Sophos: Firewalls Compromised by Chinese Hackers
Over a five-year period leading up to October 2024, Chinese hacking groups, including APT41 and APT31, exploited vulnerabilities in Sophos firewall products. The attackers employed sophisticated techniques, such as deploying botnets and malware, to compromise Sophos firewalls.
In addition, they developed stealthy persistence mechanisms, including custom userland rootkits and, in some instances, bootkits—a rare tactic for firewall devices. These methods allowed the attackers to maintain long-term access to compromised systems [*].
14. LastPass: Password Manager Breach Exposes User Vaults
In August 2022, LastPass, a widely used password manager, suffered a security breach where attackers accessed customer data and partially encrypted password vaults.
The threat actor initially gained unauthorized access to portions of their development environment through a compromised developer’s laptop.
They then targeted a senior DevOps engineer, using a keylogger to obtain the engineer’s master password, which granted access to an encrypted corporate vault containing keys to S3 buckets with customer files. There was a reported loss of over $35 million in cryptocurrency thefts from more than 150 victims [*].
15. Wawa: Payment Card Breach Exposes Over 30 Million Accounts
In December 2019, Wawa Inc., a major convenience store and gas station chain, announced a significant data breach affecting its payment processing systems.
The breach, which persisted from March 4 to December 12, 2019, compromised customer payment card information, including debit and credit card numbers, expiration dates, and cardholder names. The malware responsible was present on point-of-sale terminals and fuel dispensers across approximately 850 Wawa locations, potentially impacting over 30 million payment cards [*].
16. Masslogger Trojan: Credential-Stealing Campaign Across Europe
In early 2021, the Masslogger trojan targeted users in Turkey, Latvia, and Italy in a stealthy credential-stealing campaign. Attackers sent phishing emails with disguised RAR attachments that bypassed security filters and other authentication protocols. Once opened, the malware was downloaded and ran directly in memory, avoiding detection.
Masslogger stole login credentials from applications like Microsoft Outlook and Google Chrome, sending the data through email, FTP, or HTTP [*].
17. Magellan Health: Phishing Attack Exposes Sensitive Data of 364,000 Individuals
In April 2020, Magellan Health, a Fortune 500 healthcare company, fell victim to a phishing attack. The attackers sent a spear-phishing email impersonating a Magellan client, which led to unauthorized access to the company’s systems. Once inside, the attackers deployed ransomware, encrypting files and severely disrupting the company’s operations.
The breach exposed sensitive Personally Identifiable Information (PII) of 364,000 individuals, including names, addresses, employee ID numbers, Social Security numbers, and, in some cases, details about health insurance plans. Magellan Health faced multiple class-action lawsuits and settled for $1.43 million in 2022 [*].
18. 3CX: Supply Chain Attack Compromises VoIP Software
In March 2023, 3CX, a global VoIP software provider, experienced a major supply chain attack that affected thousands of organizations. Hackers compromised the 3CX Desktop App for Windows and macOS, embedding malicious code into legitimate software updates.
This allowed the malware to be installed on user systems, enabling attackers to access sensitive data and deploy further payloads. The attack, linked to the North Korean Lazarus Group, focused on data theft and surveillance, particularly targeting cryptocurrency firms [*].
19. Blue Yonder: Ransomware Attack Disrupts Retail Operations
In November 2024, Blue Yonder, a leading supply chain software provider, suffered a ransomware attack that disrupted operations for major retailers, including Starbucks, Morrisons, and Sainsbury’s. The attack targeted Blue Yonder’s hosted environment, causing system outages that affected employee scheduling, payroll, and warehouse management.
Starbucks resorted to manual processes to manage staff payments, while Morrisons and Sainsbury’s faced disruptions in fresh produce supplies, leading to empty shelves in some stores [*].
20. Stoli Group USA: Cyberattack Triggers Bankruptcy Filing
In August 2024, Stoli Group USA, known for its vodka brand, suffered a crippling ransomware attack that disrupted its key operations. The company had to switch to manual processes, which made it difficult to meet banking and financial reporting requirements.
This disruption added to the company’s existing challenges, including ongoing legal disputes with Russia over branding rights. By November 2024, the financial strain from the attack and legal issues forced Stoli Group USA and its Kentucky Owl whiskey brand to file for Chapter 11 bankruptcy. The company reported liabilities of $50 million to $100 million [*].
How To Detect Data Exfiltration: A Step-by-Step Guide
Detecting data exfiltration requires monitoring, analyzing, and responding to unusual activities across your system. Here’s how:
Step 1: Monitor Network Traffic and Anomalies
Use Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) to monitor network traffic for unusual patterns.
What to Look For:
- Unexpected spikes in data transfer volume, especially during non-business hours.
- Large volumes of data leaving the organization via email, FTP, cloud services, or other external channels.
- Unusual destinations for outgoing traffic, such as unrecognized IP addresses or foreign servers.
💡Teramind Nuggets → Analyze the contents of network packets to detect sensitive data leaving the organization. You should also set thresholds for normal traffic volumes and configure alerts for deviations.
Step 2: Conduct Endpoint Activity Monitoring
Use endpoint detection tools to monitor user activity and identify suspicious behavior.
What to Look For:
- Unusual access to sensitive files by users who don’t typically handle such data.
- Multiple failed login attempts or unauthorized access to restricted areas.
- Use of USB devices or external storage without authorization.
💡Teramind Nuggets → Use Data Loss Prevention (DLP) tools to restrict and monitor sensitive data movement on endpoints.
Step 3: Analyze User Behavior
Establish baselines for normal user behavior using User and Entity Behavior Analytics (UEBA) tools.
What To Look For:
- Flag anomalies such as:
- Accessing large volumes of files in a short time.
- Unusual user activity including login times, locations, devices and file access patterns
- Pay special attention to users with administrative or elevated access.
- Look for unauthorized changes in permissions or attempts to access restricted systems.
💡Teramind Nuggets → Regularly audit access permissions to ensure employees only have access to the data they need for their roles.
Step 4: Monitor Cloud, DNS and Email Activity
What to Look For:
- DNS tunneling, where data is hidden inside DNS queries to exfiltrate it.
- Large attachments in emails being sent to unusual or unauthorized recipients.
- Phishing attempts that precede exfiltration attempts.
💡Teramind Nuggets → If your system is in a cloud environment, use Cloud Access Security Brokers (CASB) to track data movement. You can also enable geofencing to restrict access from unapproved locations.
Step 5: Inspect Physical Access and Data Movement
What To Look For:
- Monitor for employees or contractors accessing restricted areas during unusual hours or in a manner that deviates from their normal behavior.
- For instance, accessing data centers or server rooms without proper authorization or during off-hours.
- Any signs of tampering with physical security systems such as badge readers, security cameras, or access logs.
- Unexplained movement of company equipment, like laptops or external storage devices.
- Devices not approved by the IT department, such as personal laptops, phones, or digital products.
💡Teramind Nuggets → Set up decoy files or systems that mimic real sensitive data to lure potential attackers. In addition, you can implement access controls for sensitive physical areas, such as server rooms. Also adopt biometric systems or RFID cards to log entries and exits.
Step 6: Regularly Test and Update Detection Mechanisms
- Keep your detection systems updated against the latest attack vectors.
- Simulate data exfiltration scenarios to test your defenses.
- Identifies gaps in your detection and response capabilities.
- Leverage machine learning algorithms to identify complex data exfiltration techniques.
- AI tools can detect subtle anomalies, such as changes in file transfer protocols or encrypted traffic.
💡Teramind Nuggets → Conduct regular penetration testing and red team exercises to simulate data exfiltration attempts.
Prevent Data Exfiltration with Teramind
At every turn — and on every channel — several stories of data leaks are making the headlines daily. Hoping your organization won’t be next isn’t a strategy – it’s a gamble.
Whether an employee gradually downloads sensitive files or a malware attack, the risk of data exfiltration goes beyond just losing a ‘couple of files’—it’s about losing everything you’ve built. This is where Teramind changes the outcome. It spots potential data theft before it becomes a breach by providing real-time visibility into every user action, file transfer, and system access.
Why Teramind?
- Complete Audit Trails and Forensics. Teramind stores every action captured securely, providing detailed audit trails and forensics data in the event of an incident.
- Insider Threat Detection. Teramind’s advanced analytics establish behavioral baselines for each user, flagging deviations such as excessive data access, unusual login times, or abnormal file activity.
- Real-Time Alerts and Incident Response. With Teramind’s customizable real-time alerts, your team gets instant notifications of suspicious activities, such as bulk file downloads or attempts to access restricted files.
- Flexible Deployment Options. Whether you prefer on-premises, cloud, or hybrid solutions, Teramind adapts to your organization’s infrastructure.
While other companies are busy dealing with data breaches, you could be preventing them entirely.
Teramind gives you the visibility you need to keep your data where it belongs and your business name out of those data breach headlines. Simple as that.
Data Exfiltration FAQs
What is Data Exfiltration?
Data Exfiltration refers to the unauthorized transfer or removal of sensitive information from a computer system or network to an external destination. Essentially, it is a form of data theft where confidential or proprietary data is copied, transferred, or accessed without proper authorization. This activity can be conducted by malicious insiders within an organization or by external attackers who gain unauthorized access.
What’s the Difference Between Data Exfiltration, Data Leakage, and Data Breach?
While the terms are often used interchangeably, they represent different types of data security incidents:
- Data Exfiltration. This is the intentional and unauthorized transfer of data from a system or network, typically carried out by malicious actors or insiders with intent to steal sensitive information. Think of it like a burglar sneaking valuables out of your home.
- Data Leakage. This is the unintentional exposure of sensitive information due to security oversights, misconfigurations, or human error. Imagine forgetting to lock your front door and leaving your valuables accessible to anyone.
- Data Breach. A data breach is a broader term encompassing any unauthorized access to sensitive information, whether through exfiltration, leakage, or other means. It’s the overall event in which someone gains access to your data—whether by theft, negligence, or exploitation.
What Are the Most Common Types of Data Exfiltration?
Data exfiltration can occur through various methods, both intentional and accidental. Here are some of the most common types:
- Exfiltration Through Email. Attackers often use phishing schemes to trick employees into sending confidential data via email, or insiders may deliberately email sensitive information to external accounts.
- Data Downloads to Personal Devices. Employees might download sensitive information to personal laptops, USB drives, or mobile devices—either unintentionally or with malicious intent.
- Uploads to Unauthorized Platforms. Data can be uploaded to unauthorized file-sharing platforms, cloud storage services, or external websites, bypassing authentication and security controls.
- Insecure Cloud Configurations. Misconfigured cloud services or inadequate access control settings can inadvertently expose sensitive data to unauthorized users.
- Exploitation of Application Vulnerabilities. Malicious insiders or malware can exploit weaknesses in applications to extract sensitive information.
- Exfiltration via Physical Devices. Theft of physical devices, such as laptops, smartphones, or external drives, can lead to unauthorized access to sensitive data stored on them.
Data exfiltration can be a gradual process, with small amounts of data being extracted over time, making it harder to detect. That’s why comprehensive security measures and vigilant monitoring are crucial.
What Are the Most Common Data Exfiltration Methods?
- Phishing and Social Engineering. Cybercriminals trick employees into revealing credentials or downloading malware through deceptive emails or communications.
- Malware. Malicious software infiltrates systems to capture and transmit sensitive data without detection.
- Exploiting Software Vulnerabilities. Attackers take advantage of unpatched or poorly secured software to gain access to systems.
- Command and Control (C&C) Servers. Hidden communication channels are established between compromised devices and attacker-controlled servers to extract data covertly.
- Data Obfuscation. Stolen data is disguised within ordinary-looking files or traffic to avoid detection during transfer.
- Removable Media. Unauthorized use of USB drives, external hard drives, or other portable storage devices to copy sensitive data.
- Cloud Storage Services. Uploading stolen information to cloud platforms such as Google Drive, Dropbox, or other file-sharing services.
- Insecure FTP Servers. Using poorly secured File Transfer Protocol (FTP) servers to move sensitive data to external locations.
