In the finance department, an employee accidentally changes the account number in a bulk transfer — a typo, two digits swapped. The software accepts the input without warning. Over three months, monthly payments of 28,000 euros each flow to the wrong recipient. The mistake is only discovered at the quarterly reconciliation.
Loss of integrity ranks among the most insidious threats because the data is still present and appears unremarkable at first glance. The BSI lists the threat as elementary threat G 0.46. Unlike data loss (G 0.45), where the data is missing, loss of integrity delivers wrong data — and wrong data can cause greater damage than missing data.
What’s behind it?
The integrity of information can be impaired in many ways. The causes range from unintended input errors through technical defects to targeted manipulation by attackers.
Causes
Attackers modify data to gain advantages or to harm the organisation. Targeted data manipulation is often harder to detect than data theft, because no data flows out and the alteration can be subtle: a modified IBAN in a payment instruction, a changed value in an inventory database, a manipulated index database in an electronic archive.
Typing errors, mix-ups and operating errors in applications are everyday occurrences. Without plausibility checks, input validation and four-eyes review, such errors can go unnoticed for months and cascade: wrong base data leads to wrong calculations, which in turn drive wrong decisions.
- Transmission errors — bits can flip during data transfer over networks. TCP corrects most errors, but with UDP-based communication or faulty hardware, data can arrive altered unnoticed.
- Media ageing — magnetic and optical media lose readability over the years. Individual sectors become faulty (bit rot) without the file system giving an immediate warning.
- Software bugs — bugs in databases, file systems or applications can corrupt data during write operations, especially with concurrent access or system crashes.
Impact
A single altered bit can render entire datasets unusable. For encrypted datasets, a minimal change causes decryption to fail. Cryptographic keys become useless after a single bit flip — and with them all data secured by that key. Electronic archives lose their evidentiary value when the integrity of stored documents cannot be proven.
Practical examples
Manipulated archive database. An electronic archive stores audit-proof documents for accounting. An attacker with database access manipulates the index table and assigns forged invoices to genuine case numbers. During a tax audit, the forged documents are accepted as authentic — until an attentive auditor verifies the checksums manually.
Input error in warehouse management. During a manual inventory correction, an employee misses a decimal place: instead of 50 units, the stock is corrected to 500. The ERP system then automatically cancels a pending reorder. Only two weeks later, when the physical stock is exhausted, is the error discovered — the production line stands still.
Bit flip in an encrypted backup file. A sector error on the backup disk changes one byte in an encrypted backup archive. The error goes undetected because no regular integrity checks take place. When the archive is needed months later for recovery, decryption fails. The backup is worthless.
Relevant controls
The following ISO 27001 controls mitigate this threat. (You’ll find the complete list of 43 mapped controls below in the section “ISO 27001 Controls Covering This Threat”.)
Prevention:
- A.8.4 — Access to source code: Controlled access to source code prevents manipulation of the software that processes the data.
- A.8.32 — Change management: Orderly change processes prevent uncontrolled changes from endangering data integrity.
- A.5.34 — Privacy and protection of personal identifiable information (PII): Data protection processes enforce input validation and traceability.
- A.8.25 — Secure development life cycle: Integrity checks are anchored already during software development.
- A.8.7 — Protection against malware: Malware protection against malicious programs that deliberately manipulate data.
Detection:
- A.8.16 — Monitoring activities: Monitoring detects unexpected data changes in real time.
- A.8.15 — Logging: Gapless logging of all write and modification events.
- A.8.17 — Clock synchronisation: Precise timestamps ensure the traceability of data changes.
Response:
- A.5.24 — Information security incident management planning and preparation: Incident response plans for detected integrity violations.
- A.8.13 — Information backup: Intact backups enable recovery of the correct dataset.
BSI IT-Grundschutz
The BSI IT-Grundschutz catalogue links G 0.46 with the following modules:
- CON.1 (Cryptography concept) — cryptographic methods for integrity protection (hash values, digital signatures).
- OPS.1.2.6 (NTP time synchronisation) — precise timestamps for integrity checks and audit trails.
- DER.3.1 (Audits and reviews) — regular verification of data integrity as part of internal audits.
- APP.4.2 (SAP ERP system) — specific integrity requirements for standard business software.
Sources
- BSI: The State of IT Security in Germany — annual report with current incident statistics
- BSI IT-Grundschutz: Elementary Threats, G 0.46 — original description of the elementary threat
- ISO/IEC 27002:2022 Section 8.4 — implementation guidance on access to source code