What Is The Difference Between Data Loss Vs Data Leakage Vs Data Theft Vs Data Exfiltration?

Fictitious story

FinTech Solutions is a financial technology company that develops cutting-edge software for banking institutions. They have strict data security policies in place to protect sensitive customer information. However, they recently experienced a security incident involving one of their employees, Ben.

One morning, the IT team at FinTech Solutions noticed unusual network activity originating from Ben’s workstation.

Upon investigation, they discovered that Ben had been sending confidential financial transaction logs and customer account details to an email address outside the company’s domain.

As the investigation unfolds, it becomes clear that Ben has been secretly collecting and transmitting sensitive data for several weeks. He used his insider access to bypass security measures and extract data from the company’s databases without authorisation.

Can you guess what data risk type this is? Is it:

• Data Loss?

• Data Leakage?

• Data Theft?

• Data Exfiltration?

We often talk about data loss, data leakage, data theft and data exfiltration as if they are interchangeable. But, in fact, they are very different. And what makes it the difference is “intention”.

“Intention” is often defined as the purpose, aim, goal or objective to commit in carrying out action or actions in the future. It involves mental activities such as planning, rehearsal and forethought.

The difference between malicious and unintentional insider incidents is that the former has “intent” to commit a malicious act, whereas the latter has no “intent”.

Data Loss

Is the result of data that has been unintentionally or accidentally misplaced so that it is no longer accessible. Simply put, it is lost.

Here are some examples.

• One ofthe easiest ways to suffer data loss is by accidentally deleting the files without having any available backup.

• The computer disk drives may be physically damaged. They eventually break down over time.

• Power failures can ruin the effort and the time that you spent developing articles which were unfortunately not saved.

• Water and fire damage on your expensive computers will definitely affect the electronics as well as the hard drive.

We often lose data simply because we don’t have a proper workflow or procedure for data restoration.

Data Leakage

Is the result of the unauthorised and unintentional transmission of data within an organisation to an outside party. Be aware that data can be transferred electronically or physically.

Here are some examples.

• Someone is taking a report home and accidentally misplaces it in the bus/taxi/train/plane. The leak occurs if someone takes that report.

• Sending an email with corporate information to the wrong recipient.

• Posting sensitive corporate information onto social media or public website with little security allowing the possibility of untrusted and unauthorised people to access information.

• Uploading work documents to unauthorised cloud storage to be able to access work from home.

• Unauthorised removal of physical equipment such as tapes, disks, or machines so that they can be worked on by a third party. How often have you seen a 2^ndhand disk drive with someone else content on it?

• Storing sensitive information or programs on their laptops so that they could have full control over it.

Data Theft

Data theft refers to the unauthorised or illicit act of intentionally stealing or taking sensitive, confidential, or proprietary data from its rightful owner or custodian. This type of cybercrime involves accessing, copying, or transferring data without permission, often with the intent to use it for personal gain, financial fraud, competitive advantage, espionage, or other malicious purposes.

Here are some examples:

• Direct access: Unauthorised access to a computer system, database, or storage device to steal data directly from its source.

• Data copying: Making unauthorised copies of files, documents, databases, or other digital assets containing sensitive information.

• Data transfer: Illegally transferring data from one location to another, such as from a company’s network to an external device or server.

• Data interception: Capturing data while it’s in transit, such as intercepting network communications or capturing data from unsecured wireless networks.

Data breach: Inadvertently or intentionally exposing sensitive data due to inadequate security measures, which can lead to data theft by malicious actor.

Data Exfiltration

Is the result of unauthorised but intentionally copying, transferring or retrieval of data from within the organisation and taking it out. It is often referred to as “data theft”.

Data exfiltration is primarily a “data breach” when the organisation data is illegally stolen. And the reason they steal it is usually for business advantage. They either take it with them to a new job, to start a new competing business or to take it to a foreign government or organisation.

Note, according to the insider threat division of CERT, nearly 75% of all data theft was carried out by insiders who had authorised access to the information.

Now that you know the difference between data risk types, what is your answer to the type of data risk type?

In this scenario, the threat can be identified as Data Exfiltration and Data Theft since Ben intentionally extracted and transmitted sensitive financial data outside the company’s secure environment for personal gain or other malicious motives.

But what is the difference between data theft and data exfiltration, I hear you ask?

• Both data theft and data exfiltration involve unauthorised actions.

• Both data theft and data exfiltration are intentional actions

However, data theft term is often used in a broader sense to describe any instance where data is stolen, regardless of whether it’s taken from within the organisation (insider threat) or from outside (external threat).

Data exfiltration, on the other hand, specifically highlights the method by which data is stolen. It refers to situations where data is not just stolen but is actively transferred or removed from the organisation’s internal systems or network to an external destination.

In this fictitious scenario, where an employee secretly collects and transmits sensitive data over a period of time without explicitly mentioning the extraction method, it’s more accurate to classify this as data theft.

Furthermore:

• Collection and transmission:The scenario mentions that the employee has been collecting and transmitting sensitive data for several weeks. This behaviour aligns more closely with data theft, where the focus is on the unauthorised acquisition of data rather than the movement of data outside the organisation.

• Intent and duration:The fact that the employee has been engaging in this behaviour for an extended period suggests a concerted effort to gather confidential information for personal gain or other malicious purposes, which is characteristic of data theft.

What Can You Do Moving Forward?

As the saying goes, “Data by itself doesn’t leave the organisation by itself.”

It is essential that your organisation understand its information assets. Key questions that you must answer before you can move forward with the right strategy, you need to answer the following questions.

• What types of data are processed? Is it medical information, personally identifiable information, credit card numbers, inventory records, etc.?

• What kind of devices process this data? Is it servers, workstations, laptops, mobile devices, etc.?

• Where is the data stored, processed and transmitted? Single location, multiple locations, foreign countries?

• How is this data being moved or transmitted? Does it involve only corporate channels, or can it be moved to non-corporate channels like USBs, personal emails, and cloud storage?

• What are the critical processes and systems that support the data?

• And who has access to these information assets? Should they have such access in the first place?

Answering these questions will help your organisation inventory your data and, importantly, develop the appropriate mitigation strategy for data loss, leakage, theft, or exfiltration.

Take The Challenge

What is your capability to detect, prevent, deter and respond to insider threat harm? Would you be interested in finding out how you compare to your industry peers? Would you be surprised to know that most organisations that have taken this assessment are somewhat vulnerable? To find out more, https://nakedinsider.com/insider-threat-capability-assessment/.