G 0.17 — Loss of Devices, Storage Media or Documents

A memory card the size of a fingernail drops unnoticed out of a briefcase onto the floor at a trade show. On it: confidential calculations and customer data. The finder reviews the contents on their laptop. A few days later, the information surfaces at a competitor.

The accidental loss of devices, storage media and documents is among the most frequent causes of data breaches. The BSI lists this threat as G 0.17. Unlike theft, criminal intent is absent — the consequences can nevertheless be severe.

What’s behind it?

Mobile devices and storage media are lost regularly — in taxis, trains, airports, meeting rooms and restaurants. Modern micro-SD cards hold hundreds of gigabytes; a single USB stick can contain an entire department’s data. The loss immediately affects availability and — for unencrypted media — confidentiality as well.

Loss scenarios

Left behind on public transport — notebooks, smartphones and documents are left behind on trains, buses and planes. Rush when changing and distraction are the most common causes.
Falling out of bags — small storage media (USB sticks, memory cards) slip unnoticed out of bags, jackets or laptop sleeves.
Loss in the post — storage media or documents sent by post go missing without sender or recipient being informed.
Forgotten printouts — paper documents are forgotten in meeting rooms, at the printer or in external offices.

Impact

Even when a lost device reappears, there is no longer any guarantee that the data has remained unchanged and confidential. Manipulated software may have been installed or confidential information copied. Recovering the device therefore does not solve the confidentiality problem. On top of this come replacement costs and — for documents with signatures — the effort of obtaining them again.

Practical examples

Documents on the tram. On her way to work, an employee reviews documents bearing several management signatures. At her destination stop she rushes off and leaves the papers on the seat. The documents are not confidential, but obtaining the signatures again takes several weeks and delays an approval procedure.

Smartphone in a taxi. A department head leaves his company smartphone in a taxi. The device holds the email inbox, VPN credentials and the authenticator app for two-factor authentication. Four hours pass before the device is wiped remotely — enough time to access the stored data if the device is not adequately protected.

Software update CDs in the post. A software vendor ships media with security updates by post to customers. Several consignments go missing. The affected customers do not receive the update and work for weeks with a vulnerable version — without knowing.

Relevant controls

The following ISO 27001 controls mitigate this threat. (You’ll find the complete list of 14 mapped controls below in the section “ISO 27001 Controls Covering This Threat”.)

Prevention:

A.8.1 — User end point devices: Encryption, screen lock and configuration policies for all mobile devices.
A.7.9 — Security of assets off-premises: Rules for secure transport and storage while away.
A.7.10 — Storage media: Policies for handling removable media, including mandatory encryption.
A.6.2 — Terms and conditions of employment: Contractual obligation to handle company property with due care.
A.5.10 — Acceptable use of information and other associated assets: Clear rules on which data may be carried on mobile media.

Detection:

A.5.11 — Return of assets: Processes for returning devices when employees leave.

Response:

A.5.28 — Collection of evidence: Documentation of the loss for potential legal or regulatory proceedings.
A.5.29 — Information security during disruption: Contingency processes to maintain operations despite device loss.

BSI IT-Grundschutz

The BSI IT-Grundschutz catalogue links G 0.17 to the following modules:

SYS.3.2.1 (General smartphones and tablets) — requirements for securing mobile end-user devices.
SYS.4.5 (Removable media) — security requirements for USB sticks, memory cards and external drives.
ORP.1 (Organisation) — organisational rules for the handling of company assets.
CON.7 (Information security while travelling) — protection measures for the transport of devices and documents.

Sources

BSI IT-Grundschutz: Elementary Threats, G 0.17 — original description of the elementary threat
ISO/IEC 27002:2022 Section 7.9 — implementation guidance on the protection of devices outside secured areas
BSI: Mobile End Devices — recommendations for securing mobile end-user devices

ISO 27001 Controls Covering This Threat

A.5.10 Acceptable use of information and other associated assets A.5.11 Return of assets A.5.14 Information transfer A.5.28 Collection of evidence A.5.29 Information security during disruption A.6.2 Terms and conditions of employment A.6.7 Remote working A.7.7 Clear desk and clear screen A.7.9 Security of assets off-premises A.7.10 Storage media A.7.14 Secure disposal or re-use of equipment A.8.1 User endpoint devices A.8.7 Protection against malware A.8.10 Information deletion

Frequently asked questions

What's the difference between loss (G 0.17) and theft (G 0.16)?

With loss, the device or storage medium is mislaid accidentally — for example forgotten on a train or falling out of a bag. With theft, an attacker takes the object deliberately. The effects are similar (loss of availability, possible disclosure), but the threat type differs: loss is accidental, theft is deliberate.

Does a lost device have to be reported?

Yes — and immediately. Even if the device is encrypted, access credentials must be revoked as a precaution and the incident must be documented. For personal data without encryption, a GDPR notification obligation applies within 72 hours.

How can I prevent losses of memory cards?

Micro-SD cards and USB sticks are so small that they are easily lost. Policies should restrict their use to what is strictly necessary and require encryption. Where possible, cloud storage with access control should replace physical media.