Zum Hauptinhalt springen
CENEDRIL WIKI
DE
Elementary Threat · BSI IT-Grundschutz

G 0.16 — Theft of Devices, Storage Media or Documents

Updated on 4 min Reviewed by: Cenedril Editorial
A.5.14A.5.15A.5.29A.6.6A.6.7A.7.1A.7.2A.7.4A.7.7A.7.8A.7.9A.7.10A.7.11A.7.14A.8.1A.8.10A.8.13A.8.20 BSI IT-GrundschutzISO 27001ISO 27002

Friday night, a break-in at a federal agency. The perpetrators enter through an unsecured window that had been known as a weak point for some time. Alongside cash and electronics, mobile IT systems disappear. Whether files were copied or tampered with can no longer be determined with certainty after the fact.

The theft of devices, storage media and documents causes double damage: replacement costs and loss of availability on the one hand, the uncontrolled disclosure of confidential data on the other. The BSI lists this threat as G 0.16.

What’s behind it?

What gets stolen is what is valuable, inconspicuous and easy to carry. Notebooks, smartphones and USB sticks meet all three criteria. In many cases, the thief is not interested in the hardware at all — the stored data is the actual target.

Forms of theft

  • Opportunistic theft — unattended devices in public spaces, vehicles or hotel rooms. Mobile devices are particularly exposed because they are small, valuable and easy to resell.
  • Targeted theft — an attacker deliberately targets specific devices or storage media containing confidential information. Such attacks are often enabled by insider knowledge.
  • Insider — employees with legitimate access copy large volumes of confidential data onto private storage media shortly before leaving the company and take them along. Technically this is no classical theft, but the effect is identical.
  • Break-in — targeted break-ins into office buildings or data centres in which servers, hard drives or files are stolen.

Impact

The immediate damage comprises replacement costs and business disruption. The more serious damage arises from the disclosure of confidential data: customer data, trade secrets, personal information, access credentials. For the loss of personal data without encryption, a GDPR notification obligation applies — including possible fines.

Practical examples

Notebook theft from a vehicle. A sales employee leaves her company notebook in the boot of her company car overnight. The vehicle is broken into, the device stolen. The unencrypted hard drive contains customer lists, price calculations and contract details. The GDPR notification becomes necessary, the customers must be informed.

USB stick with customer data in the drawer. A call centre employee copies large volumes of confidential customer data onto a private USB stick shortly before resigning. After leaving, he sells the data to a competitor. The call centre subsequently loses several major customers when the incident becomes public.

Break-in with hard drive theft. In a mid-sized company, intruders break into the server room at night and steal several hard drives from a storage system. The data contains design plans and patent documents. Since no backups exist at a separate location, availability is also affected.

Relevant controls

The following ISO 27001 controls mitigate this threat. (You’ll find the complete list of 18 mapped controls below in the section “ISO 27001 Controls Covering This Threat”.)

Prevention:

Detection:

Response:

BSI IT-Grundschutz

The BSI IT-Grundschutz catalogue links G 0.16 to the following modules:

  • INF.7 (Office workplace) — security requirements for office spaces, including access protection and storage.
  • INF.8 (Home workplace) — protection of devices and documents in the home office.
  • SYS.3.1 (Laptops) — specific requirements for securing mobile computers.
  • CON.6 (Deletion and destruction) — secure disposal of storage media and documents.

Sources

ISO 27001 Controls Covering This Threat

A.5.14 Information transfer A.5.15 Access control A.5.29 Information security during disruption A.6.6 Confidentiality or non-disclosure agreements A.6.7 Remote working A.7.1 Physical security perimeters A.7.2 Physical entry A.7.4 Physical security monitoring A.7.7 Clear desk and clear screen A.7.8 Equipment siting and protection A.7.9 Security of assets off-premises A.7.10 Storage media A.7.11 Supporting utilities A.7.14 Secure disposal or re-use of equipment A.8.1 User endpoint devices A.8.10 Information deletion A.8.13 Information backup A.8.20 Networks security

Frequently asked questions

Why is theft a problem for information security, and not just for the insurance?

The replacement value of the device is often the smallest damage. The real risk lies in the stored data: customer data, credentials, trade secrets or personal information. Without encryption the thief gains immediate access to this data — and the damage can exceed the cost of the device many times over.

Does full-disk encryption reliably protect against theft?

Full-disk encryption (e.g. BitLocker, FileVault, LUKS) offers very strong protection as long as the device was switched off or locked at the time of theft and the password is strong enough. If the device was running, the keys may be present in memory.

What should be done if a company device is stolen?

Immediate notification to the IT department so that access credentials can be revoked, a remote wipe can be triggered and the incident can be documented. In parallel, report the theft to the police. For personal data without encryption, a GDPR notification obligation applies.