Data exfiltration is—quite simply—data theft, whether the responsible party is an external malicious actor or an internal user that exfiltrates data inadvertently.
Data exfiltration is any case in which data that's not meant to be shared with externals is in fact shared with externals. Often, data exfiltration results from a breach or cybersecurity incident. Occasionally, data exfiltration is intentionally or inadvertently carried out by employees. In all cases, it represents a significant risk—and possibly catastrophic consequences in the end.
The incentives that lead to data exfiltration overlap significantly with the incentives that drive cyber attacks and cyber breaches.
Commonly exfiltrated data includes account credentials and other security data, intellectual property and trade secrets, personally identifiable information suitable for identity theft, operational and competitive data that may place a company at a disadvantage, and many other kinds of data that range from the serious to the existential in terms of risk should the data escape "into the wild" or fall into the hands of malicious actors.
For this reason, many privacy and security statutes and standards, including recognizable statues like GDPR and CCPA, specify how data must be managed and safeguarded and penalties that may be imposed if data is ultimately "leaked" to third parties (though often this "leak" is really in the form of an "attack" seeking precisely this data).
Unfortunately, the nature of the incentive leads related intrusions to be quiet and difficult to detect. Malicious actors whose activities are driven by data exfiltration goals go to extensive lengths not to draw awareness to the tools, malware, and other forms of access that enable data to be exfiltrated, largely because transferring data takes time. "Backdoor" payloads designed to enable data exfiltration still take the better part of a year, on average, to detect and remediate, leaving ample time for data to be exfiltrated.
In today's hyper-networked world, the key domain to survey for data exfiltration anomalies is the corporate network or the network traffic leaving any host for the outside world. Unfortunately, today's network topologies are no longer the simple "internal-perimeter-external" architectures of the past, making anomaly detection increasingly difficult without the help of machine learning and excellent integration of detection and observation tools.