But, why would someone want to exfiltrate data?
Data is valuable currency. From higher education to healthcare and nonprofits, organizations across industries hold sensitive information about the business, its employees, and donors.
What is data exfiltration?
Simply put, data exfiltration indicates the movement of sensitive data from inside the organization to outside without authorization. This can either be done accidentally or deliberately.
The consequences of data exfiltration aren’t just around lost data. A breach means reputational damage, lost donor trust, and fines. The best way to illustrate the different types of data exfiltration and the impact these incidents have on nonprofits is with examples.
Examples of data exfiltration
When it comes to data exfiltration, there are countless motives and methods. But, you can broadly group attempts into two categories: data exfiltration by someone within the organization, for example, a disgruntled or negligent employee, and data exfiltration by someone outside the organization; for example, a competitor.
Join 30,000+ fundraising professionals that receive our weekly Sunday newsletter with industry trends, tips, and analysis delivered right to your inbox
Data exfiltration by insiders
Data exfiltration by an insider indicates that company data has been shared by a member of the company to people (or organizations) outside of the company.
While most organizations have security software and policies in place to prevent insider threats from moving data outside of the office environment and outside of company control, insiders have easy access to company data, may know workarounds, and may have the technical know-how to infiltrate “secure” systems.
Here are six examples of data exfiltration by insiders:
- Over the course of 9 months, an employee at Anthem Health Insurance forwarded 18,500 members records’ to a third-party vendor. These records included Personally Identifiable Information (PII) like social security numbers, last names, and dates of birth.
- After exfiltrating nearly 100 GB of data from an unnamed financial company that offered loan services to Ukraine citizens, an employee’s computer equipment was seized. Police later found out the suspect was planning on selling the data to a representative of one of his former employer’s competitors for $4,000.
- Not all examples of data exfiltration are malicious, though. Some breaches happen inadvertently, like when an employee leaving the Federal Deposit Insurance Corporation (FDIC) accidentally downloaded data for 44,000 FDIC customers onto a personal storage device and took it out of the agency.
- Jean Patrice Delia exfiltrated over 8,000 files from his employer, General Electric (GE), over eight years. Delia hoped to set up a rival company using insider secrets. The FBI investigation into Delia’s scam began in 2016. Details released in July 2020 showed how Delia persuaded a GE IT administrator to grant him privileged systems access — and emailed commercially sensitive documents to a co-conspirator.
- On three occasions — in November 2018, January 2020, and October 2020 — Amazon has emailed customers to inform them that an insider has disclosed their personal information (usually email address) to a third party. Amazon hasn’t been very forthcoming about the details of these incidents, but there appears to be a pattern of insider data exfiltration emerging — which should be a serious concern for the company.
- After a data exfiltration near-miss, a Nevada court charged Egor Igorevich Kriuchkov with “conspiracy to intentionally cause damage to a protected computer” in September 2020. Kriuchkov attempted to bribe a Tesla employee to “transmit malware” onto Tesla’s network via email or USB drive to “exfiltrate data from the network.” The FBI disrupted the scheme, which could have caused serious damage to one of the world’s leading companies.
Exfiltration by outsiders
Unlike exfiltration by insiders, exfiltration by outsiders indicates that someone from outside an organization has stolen valuable company data.
Here are six examples of data exfiltration by outsiders:
- In 2014, eBay suffered a breach that impacted 145 million users. In this case, cybercriminals gained unauthorized access to eBay’s corporate network through a handful of compromised employee log-in credentials. At the time, it was the second-biggest breach of a U.S. company based on the number of records accessed by hackers.
- Stealing login credentials isn’t the only way bad actors can gain access to a network. In 2019, malware was discovered on Wawa payment processing servers. This malware harvested the credit card data of over 30 million customers, including card number, expiration date, and cardholder name.
- Did you know? 91% of data breaches start with phishing emails. While many phishing emails direct targets to wire money, pay an invoice, or provide bank account details, some request sensitive employee or client information, for example, W-2 forms.
- In February 2021, Talos Intelligence researchers discovered a new variant of the “Masslogger” Trojan. Masslogger is a perfect example of how cybercriminals can use malware to exfiltrate data from online accounts. This new Masslogger variant arrives via a phishing email with “a legitimate-looking subject line” containing a malicious email attachment. The Trojan targets platforms like Discord, Outlook, Chrome, and NordVPN, using “fileless” attack methods to exfiltrate credentials.
- In October 2020, the UK’s Information Commissioner’s Office (ICO) fined British Airways (BA) £20 million ($28 million) after attackers exfiltrated customers’ data, including credit card numbers, names, and addresses. This massive data breach started in June 2018, when attackers installed malicious code on BA’s website. The ICO held BA fully responsible for the breach, which affected over 400,000 customers.
- Healthcare company Magellan Health discovered in April 2020 that hackers had exfiltrated sensitive customer data, including names, tax IDs, and Social Security Numbers. The breach started with a phishing email that an employee received five days earlier. This data exfiltration incident occurred just months after Magellan announced a similar phishing attack that exposed 50,000 customer records from its subsidiary companies.
Want to learn how you can keep your nonprofit's data safe while empowering your fundraisers to do the best work of their life? See a Gravyty demo today and learn how you can protect your most valuable assets while INCREASING productivity: