Code Room
On-callHardoc-g136
Subject Data exfiltrationLevel Senior–Staff~45 minCommon in Reliability & on-call interviewsIndustries Technology, Software development

Question

Your egress-monitoring dashboard flags an analytics service account ('svc-reporting') transferring 240GB to an external S3 bucket over the last 6 hours — normal daily egress for it is <2GB. Query logs show svc-reporting running full-table SELECTs against the customers and payment_methods tables, paginated, between 01:00-07:00 local. The account is used by a scheduled BI job that historically only reads aggregated views. A new third-party BI vendor integration was connected via OAuth 4 days ago. No alerts from the WAF. How do you triage, contain, and remediate this suspected data exfiltration?

What a strong answer looks like

Stop the bleeding first (mitigate), then form hypotheses from real signals. Separate root cause from symptom, communicate status as you go, and close with what prevents a repeat.

Diagram & narrate the incident
Loading whiteboard…
Run or narrate your approach, then ask the coach.