A server administrator is performing a routine audit of network traffic logs for a file server. The administrator discovers that a large volume of data, several gigabytes in size, was transferred to an unknown external IP address overnight. The transfer occurred outside of the normal backup window and does not correspond to any scheduled maintenance tasks. Which of the following data security risks has the administrator most likely identified?
The correct answer is a data breach. The scenario describes a classic indicator of data exfiltration, which is a type of data breach. Unexpected and large outbound data transfers to unknown locations are a primary sign that an unauthorized party has accessed the network and is stealing data. This process of recognizing the signs of an attack is the 'Identification' phase of incident response.
Data corruption involves data being altered or destroyed, which is not indicated by the network traffic logs.
While an insider threat could be the cause of the breach, the risk identified by the log evidence itself is the data breach (the event), not the actor (the insider).
A hardware failure would more likely present as network errors, packet loss, or a loss of connectivity, not a large, successful data transfer.