Confidential data and information must only be accessible by those persons who are
authorised to access it. In addition to integrity and availability, confidentiality is one of the key
security objectives. For confidential information (such as passwords, personal data,
confidential company or governmental information, or development data), there is an
inherent danger that it will be disclosed through technical failures, carelessness, or even
deliberate action.
Access to confidential information can be gained from a variety of sources, for example:
• storage media in computers (hard disks)
• removable storage media (USB sticks, CDs, or DVDs)
• in printed form on paper (printouts, files)
• transmission routes used during data transmission
There are various ways of actually obtaining information, for example:
• reading files without authorisation
• thoughtlessly passing on information, e.g. in the course of repair orders
• deleting or destroying storage media inadequately
• stealing the storage medium for later evaluation
• tapping transmission lines
• infecting IT systems with malware
• viewing information on the screen or eavesdropping on conversations
Serious consequences can result for an organisation when sensitive information is disclosed. A
loss of confidentiality can have the following adverse effects, among others, on an
organisation:
• violations of laws, for example laws relating to data protection or banking secrecy
• negative internal effects, for example a loss of employee morale
• negative external effects, for example poorer relationships with business partners or
the loss of customer trust
• financial effects, e.g. damage claims, fines, and court costs
• impairment of the right to informational self-determination.
A loss of confidentiality is not always detected immediately. In many cases, it only becomes
apparent later, e.g. by means of press enquiries, that unauthorised persons have gained access
to confidential information.
Example:
Buyers of used computers, hard disks, mobile phones or similar devices often find
strictly confidential information such as patient data or account numbers on them.