Elementary Threat · BSI IT-Grundschutz

G 0.19 — Disclosure of Sensitive Information

Updated on 17 April 2026 5 min Reviewed by: Cenedril Editorial

A.5.3A.5.4A.5.5A.5.7A.5.9A.5.10A.5.11A.5.13A.5.14A.5.15A.5.19A.5.21A.5.23A.5.24A.5.25A.5.26A.5.27A.5.29A.5.30A.5.34A.5.35A.5.36A.5.37A.6.1A.6.2A.6.3A.6.5A.6.6A.6.7A.6.8A.7.1A.7.2A.7.3A.7.7A.7.9A.7.10A.7.11A.7.12A.7.13A.7.14A.8.1A.8.3A.8.4A.8.5A.8.7A.8.9A.8.10A.8.11A.8.12A.8.13A.8.14A.8.15A.8.16A.8.17A.8.18A.8.19A.8.20A.8.21A.8.22A.8.23A.8.24A.8.25A.8.26A.8.27A.8.28A.8.29A.8.30A.8.31A.8.32A.8.33A.8.34 BSI IT-GrundschutzISO 27001ISO 27002

Used hard drives, smartphones and USB sticks are sold online. Buyers regularly find patient data, account numbers, password lists and contract documents on them — even though the previous owners believed the data had been deleted. Emptying the recycle bin or performing a quick format is nowhere near enough.

The disclosure of sensitive information is one of the most consequential threats to information security. The BSI lists it as G 0.19.

What’s behind it?

Confidentiality is one of the three foundational values of information security — alongside integrity and availability. Confidential information may only be accessible to those authorised to know it. G 0.19 describes the threat that this boundary is breached — through technical failure, human inattention or deliberate action.

Access points

Confidential information can be captured at many points:

Storage media — hard drives, SSDs, USB sticks, memory cards in computers and mobile devices.
Removable media — USB sticks and external hard drives that are passed on, lost or disposed of improperly.
Paper — printouts, files, notes, whiteboards in meeting rooms.
Transmission paths — unencrypted network connections, emails, cloud uploads.
Screens — reading along in public spaces, meeting rooms with glass walls, open-plan offices.
Inadvertent disclosure — storage media are given for repair without deleting the data first. Old devices are sold or disposed of without secure erasure.
Misconfiguration — cloud storage is accidentally publicly accessible. Databases hang on the internet without authentication.
Malware — infostealers forward credentials and documents to attackers.
Social engineering — employees disclose confidential information in response to skilful requests.
Inadequate deletion — “deleted” files can be recovered with standard tools as long as the storage space has not been overwritten.

Impact

The consequences of disclosing confidential information can be severe: violations of data protection laws (GDPR, banking secrecy), fines, claims for damages, reputational damage and the loss of trade secrets. A loss of confidentiality is often only discovered with considerable delay — sometimes only through external tips or press enquiries.

Practical examples

Used hard drives with patient data. A hospital replaces server hard drives and hands the old ones to an IT service provider for disposal. The service provider resells the drives instead of destroying them. Buyers find patient records, diagnoses and billing data on them. The incident only becomes public when a buyer contacts the media.

Publicly accessible cloud database. A development team sets up an Elasticsearch instance for test data and forgets to enable authentication. The instance is reachable over the internet. Months later, a security researcher discovers the database with several million customer records — and reports the finding to the company.

Confidential documents at the printer. In an open-plan office, the central network printer is in the corridor, accessible to all employees and visitors. Confidential HR documents printed by a department head sit unattended in the output tray until a visitor happens to discover them.

Relevant controls

The following ISO 27001 controls mitigate this threat. (You’ll find the complete list of 71 mapped controls below in the section “ISO 27001 Controls Covering This Threat”.)

Prevention:

A.5.13 — Labelling of information: Visible classification reminds of the protection need at every handling step.
A.8.12 — Data leakage prevention: Technical DLP measures detect and stop the uncontrolled outflow of data.
A.8.10 — Information deletion: Secure deletion procedures for storage media and files.
A.8.3 — Information access restriction: The need-to-know principle limits the circle of people with access.
A.6.3 — Information security awareness, education and training: Sensitisation to the handling of confidential information in daily work.

Detection:

A.8.15 — Logging: Access logs make unusual data access visible.
A.8.16 — Monitoring activities: Monitoring detects anomalies such as mass downloads or unusual export actions.

Response:

A.5.24 — Information security incident management planning and preparation: Prepared response plans for data breaches, including the GDPR notification process.
A.5.26 — Response to information security incidents: Structured containment and processing after a disclosure.
A.5.34 — Privacy and protection of PII: Specific protection measures for personal data in accordance with GDPR.

BSI IT-Grundschutz

The BSI IT-Grundschutz catalogue links G 0.19 to numerous modules, including:

CON.1 (Crypto concept) — encryption as a core measure against disclosure.
CON.6 (Deletion and destruction) — requirements for the secure disposal of storage media and documents.
CON.9 (Information exchange) — rules for the controlled exchange of confidential information.
DER.2.1 (Handling security incidents) — processes for dealing with data breaches.

Sources

BSI IT-Grundschutz: Elementary Threats, G 0.19 — original description of the elementary threat
ISO/IEC 27002:2022 Section 8.10 — implementation guidance on information deletion
BSI: Recommendations for Secure Deletion — practical guidance on secure data deletion

ISO 27001 Controls Covering This Threat

A.5.3 Segregation of duties A.5.4 Management responsibilities A.5.5 Contact with authorities A.5.7 Threat intelligence A.5.9 Inventory of information and other associated assets A.5.10 Acceptable use of information and other associated assets A.5.11 Return of assets A.5.13 Labelling of information A.5.14 Information transfer A.5.15 Access control A.5.19 Information security in supplier relationships A.5.21 Managing information security in the ICT supply chain A.5.23 Information security for use of cloud services A.5.24 Information security incident management planning and preparation A.5.25 Assessment and decision on information security events A.5.26 Response to information security incidents A.5.27 Learning from information security incidents A.5.29 Information security during disruption A.5.30 ICT readiness for business continuity A.5.34 Privacy and protection of PII A.5.35 Independent review of information security A.5.36 Compliance with policies, rules and standards for information security A.5.37 Documented operating procedures A.6.1 Screening A.6.2 Terms and conditions of employment A.6.3 Information security awareness, education and training A.6.5 Responsibilities after termination or change of employment A.6.6 Confidentiality or non-disclosure agreements A.6.7 Remote working A.6.8 Information security event reporting A.7.1 Physical security perimeters A.7.2 Physical entry A.7.3 Securing offices, rooms and facilities A.7.7 Clear desk and clear screen A.7.9 Security of assets off-premises A.7.10 Storage media A.7.11 Supporting utilities A.7.12 Cabling security A.7.13 Equipment maintenance A.7.14 Secure disposal or re-use of equipment A.8.1 User endpoint devices A.8.3 Information access restriction A.8.4 Access to source code A.8.5 Secure authentication A.8.7 Protection against malware A.8.9 Configuration management A.8.10 Information deletion A.8.11 Data masking A.8.12 Data leakage prevention A.8.13 Information backup A.8.14 Redundancy of information processing facilities A.8.15 Logging A.8.16 Monitoring activities A.8.17 Clock synchronisation A.8.18 Use of privileged utility programs A.8.19 Installation of software on operational systems A.8.20 Networks security A.8.21 Security of network services A.8.22 Segregation of networks A.8.23 Web filtering A.8.24 Use of cryptography A.8.25 Secure development life cycle A.8.26 Application security requirements A.8.27 Secure system architecture and engineering principles A.8.28 Secure coding A.8.29 Security testing in development and acceptance A.8.30 Outsourced development A.8.31 Separation of development, test and production environments A.8.32 Change management A.8.33 Test information A.8.34 Protection of information systems during audit testing

Frequently asked questions

What's the difference between disclosure and a data leak?

A data leak is a special case of disclosure in which data escapes uncontrollably — often through technical weaknesses or misconfigurations. Disclosure in the sense of G 0.19 is broader and also covers reading along at the screen, finding unencrypted storage media or inadvertently sharing information in conversation.

How do I detect a disclosure that has already occurred?

Often only late or not at all. Indicators may be: press enquiries about internal matters, unexpected competitor reactions, access logs with unusual patterns or tips from third parties (e.g. security researchers). That's why prevention is particularly important here.

Which data is particularly at risk?

Personal data, access credentials (passwords, API keys, certificates), financial data, trade secrets and health data. Most data breaches involve access credentials and personal data — both categories where the damage to those affected is particularly high.