G 0.16 Theft of equipment, data carriers or documents

Theft of data carriers, IT systems, accessories, software or data results on one hand in costs for replacement and restoration to a working state, and on the other hand in losses due to lack of availability. If the theft results in the disclosure of confidential information, this can have further consequences. In addition to servers and other expensive IT systems, mobile IT systems that are inconspicuous and easy to transport are also frequently stolen. However, there are also cases where data carriers such as documents or USB sticks were deliberately removed to gain access to the confidential information stored on them.

Examples:

• In spring 2000, a notebook disappeared from the U.S. State Department. In an official statement, it could not be excluded that the device might contain confidential information. Likewise, it was unclear whether the device was protected cryptographically or by other measures against unauthorized access.
• In a German federal agency, there were several break-ins through the same unsecured windows. In addition to other valuables, mobile IT systems disappeared. Whether files were copied or manipulated could not be definitively ruled out.
• In the UK, there was a series of data breaches in which confidential documents were disclosed because data carriers were stolen. In one case, several computer hard drives were stolen from the British Air Force that contained highly personal information collected for security clearance of employees.
• Several employees of a call center created copies of a large amount of confidential customer data shortly before they had to leave the company. After leaving the company, these employees sold the data to competing companies. After details about the incident reached the press, the call center lost many important customers.