Ethical hacking reveals leaks in SAP systems

By hacking – on request – into the SAP environments at a multinational, PwC’s cybersecurity experts revealed that the company was as leaky as the proverbial sieve.

What was the problem?

How secure are our SAP systems – which we depend on every day for our processes, intellectual property, contracts, and all kinds of privacy-sensitive information? That was the question that a multinational put to PwC’s cybersecurity experts. The company concerned has dozens of SAP environments all over the world. As with many multinationals, it’s a patchwork of systems that’s the result of local implementations, country-level organisations, business units, and acquisitions. The issue of vulnerability had come up because of news about the impact of cyberattacks on SAP systems at other companies.

Ethical hacking reveals leaks in SAP systems

So what was the solution?

Two of PwC’s experts spent a month hacking into the company’s SAP environments, applying the same techniques used by malicious hackers. And the result? They were able to take over almost all the various environments or shut them down completely. If they had wanted to, the PwC experts could have altered, copied or deleted data, and they could also have made payments. According to the agreed rules, they in fact only made screenshots of information to show that they had been inside. After verification with the system managers responsible, the full report was sent to the CIO. The concise summary was: you need to fix this immediately.

What was the result?

The result, above all, was a greatly increased sense of urgency at the multinational. After getting over the shock, the client initiated a follow-up programme in collaboration with PwC. First of all, we made the current environments more secure, for example by improving the method of communication between the systems and by making password storage more secure. Tackling the top ten vulnerabilities already improved security by 80%. We also drew up a management plan to guarantee cybersecurity in the longer term. For example, the company is now implementing “security notes” systematically , is periodically measuring the level of its cybersecurity, and has assigned responsibilities to the right people with sufficient expertise.

Contact us

Bram van Tiel

Bram van Tiel

Partner Cybersecurity & Dataprivacy, PwC Netherlands

Tel: +31 (0)62 243 29 62

Follow us