SSD missing from SAP datacenter turns up on eBay, sparking security investigation

Exclusive An SSD disk missing from an SAP datacenter in Walldorf has turned up on eBay, leading to a security investigation by the German software vendor.

According to sources close to the incident, four SSD disks went missing from SAP's Walldorf datacenters in Baden-Württemberg, southwest Germany, in November last year.

One of the disks later turned up on eBay and was bought by an SAP employee. They were able to identify that it belonged to SAP. The disk contained personal records of 100 or more SAP employees.

A subsequent investigation found that the disks had been stolen, although human error and process failure also contributed to their loss, The Register understands.

The investigation showed there were no physical checks on people leaving the datacenter, which was described as a secure location. The disks were moved to an unsecured building in the HQ complex and from there they were stolen. The whereabouts of the three remaining disks are unknown to SAP.

The Register understands it is the fifth incident of disks going missing from SAP's European datacenters in two years.

• SAP admits HANA Cloud makes for multicurrency messes
• SAP's cloud drive hits speed bumps with American users
• SAP gets cloudy with a chance of AI in bid to woo on-prem brigade
• SAP signs IBM Watson deal, ChatGPT showstopper waits in the wings

In response to questions raised by The Register, a SAP spokesperson said the disks so far contained no personally identifiable information (PII).

"SAP takes data security very seriously. Please understand that while we don't comment on internal investigations, we can confirm we currently have no evidence suggesting that confidential customer data or PII has been taken from the company via these disks or otherwise," they said.

The security breach will be an embarrassment to SAP as the company centered on enterprise resource planning (ERP) software strives to increase its success in cloud computing and software as a service, both through its own cloud services and services hosted by third-party providers.

In 2019, Finnish data removal specialist Blancco found that of a sample of 159 random used drives on eBay in the US and Europe, 42 percent (or 67 devices) enabled anyone with basic IT literacy to access the data stored by their previous owners. A whopping 15 percent contained PII that could be used by cybercriminals, the company said. ®