Security Culture - Everywhere and yet it is Missing

What physical security can learn from us and how we can improve our security culture

On December 27, 2025, unknown perpetrators managed to break into the Sparkasse Gelsenkirchen bank. The result after almost two days of undetected work: an estimated loss of 500 million euros.

Can we learn from this incident in the area of cybersecurity?

Never let a breach go bad.

This principle also applies here. Using the timeline, we show where controls that we demand as standard in information security were lacking. The following article raises critical questions for both physical and digital security and illustrates how a strong security culture would probably have detected and thwarted this breach at an early stage.

1. Access

On the Friday after Christmas 2025, the roller shutter door that separates the long-term parkers from the short-term parkers in the adjacent parking garage is defective. Normally, a key is required for access. Due to the defect, visitors now have to ring a bell to register with the parking garage manager. The extent to which an actual identity check takes place here remains unclear. The perpetrators pass this first barrier with ease.

Analogy 1: Burglars and attackers prioritize routes with the least resistance in order to remain undetected.

Analogy 2: Reconnaissance is the key to any successful break-in, whether physical or logical.

Analogy 3: Access controls are critical to security; bypassing (fail-open) them in the event of a failure poses a massive risk.

2. The Approach

The perpetrators gain access to an area of the parking garage that serves as an emergency exit for the premises of the bank.

For unexplained reasons, the escape door is open from the outside, contrary to its function of only allowing access from the inside to the outside. There are no cameras in this area. From the protected but still uncritical parking area, they are now entering zones with significantly higher security requirements: the basement of the bank and the archive there.

Analogy 4: Know your perimeter and monitor it seamlessly.

Analogy 5: Check whether undesirable conditions - such as an unauthorized open escape door - are detected automatically and promptly.

Analogy 6: Identify interfaces where security zones are adjacent to public zones and secure them in a prioritized manner.

3. Intrusion into the innermost Zone

The archive, which is of no interest to the perpetrators, is directly adjacent to the zone with the highest security requirements: the vault. This is protected at the front by a solid steel gate.

Instead of attacking from the front, the perpetrators gained access via the archive. It is still unclear exactly how they entered the archive; presumably locks were manipulated or changed in advance.

On Saturday morning, smoke detectors in the archive trigger a fire alarm. The fire department arrived together with the security guards, but were unable to gain access to the locked archive room. As no traces of a fire or break-in are visible from the outside, the emergency services leave again.

Analogy 7: Never underestimate publicly available information about your architecture or infrastructure.

Ask yourself: A high-security room is suddenly inaccessible to authorized persons and reports an alarm at the same time. Shouldn’t that immediately make you suspicious? How quickly should an in-depth check be carried out in such a case?

4. At the Destination

At around 10:30 a.m. on Saturday, the perpetrators break through the wall into the vault and open the first lockers shortly afterwards. This process is logged by the system.

At around 3 p.m., the logging stops and the monitoring system fails. In total, over 3,000 safe deposit boxes are emptied.

Ask yourself: Shouldn’t the opening of thousands of lockers outside of business hours be considered a critical event (anomaly detection) and investigated immediately?

Analogy 8: Define regular working hours and consistently raise the alarm in the event of deviations and privileged actions outside these time windows.

Analogy 9: Monitor the “health status” of your security measures (monitoring of the monitoring systems).

Analogy 10: Professional attackers rarely use the main entrance.

The break-in is only discovered on Monday morning during another fire alarm. By this time, the perpetrators have long since fled with the loot.

5. The Aftermath

After the crime, it turns out that the standard insurance does not cover the damage. Only a few customers had supplementary insurance. If the bank is found to be negligent, it is liable for the loss - a burden that threatens the bank’s very existence.

If we transfer this case to information security, we have to ask ourselves:

• Was it ever defined with employees what is considered “suspicious”?
• Were there reporting channels (SOC/Incident Response) that were manned 24/7, even on public holidays?
• Did the risk register also take internal perpetrators into account and provide for appropriate monitoring measures?
• Were purple team exercises carried out to test the response to real attack scenarios?

There is clear evidence that a strong security culture could have prevented or at least impeded this break-in in several places:

• Lack of surveillance: The parking garage area was apparently considered non-critical - a fallacy.
• Manipulation: The open escape door went unnoticed due to a lack of awareness of such physical anomalies.
• Lack of escalation: The alarm in combination with the blocked access to the archive should have triggered a police search.

Key learnings for your security culture:

• Encourage suspicions: Encourage employees and external parties to report not only clear incidents, but also what is already “suspicious”.
• Positive error culture: Reward reports, even if they turn out to be false positives. This promotes fear-free reporting behavior.
• Keep an eye on interfaces: Monitor networks and access points particularly closely if they serve as a bridge to highly sensitive areas.
• Beat operational blindness: Carry out regular Purple Team exercises with external experts to sharpen your awareness of your own weak points.

Would you like to know how your safety culture is doing? Let’s talk about it over a coffee, physically or virtually. I look forward to the exchange!