SAP discloses security lapses; says there was no data breach

BERLIN (Reuters) - Business software group SAP disclosed on Tuesday that some of its cloud products did not meet contractual or statutory security standards and said it would take remedial action to fix the problem as soon as possible.

FILE PHOTO: The company logo is seen at a showroom that hosts software company SAP in Davos, Switzerland January 22, 2020. REUTERS/Arnd Wiegmann

The shortcomings were not identified in response to a specific security incident, the German company said, nor did it believe that any customer data had been compromised as a result of those issues.

While SAP, Europe’s most richly valued technology company, declined to elaborate on a statement it issued overnight, the news follows management turmoil and a reduction to its profit forecast due to the coronavirus pandemic.

Analysts said it could dampen enthusiasm among SAP’s client base to back a digital transformation in which it is seeking to shift the operation of enterprise, human resources and marketing applications to off-site datacentres from its traditional model of putting servers at customer locations.

“Events like this don’t help SAP’s reputation, and both existing and new customers of SAP will likely spend more time digging into SAP’s product security now,” said Jefferies analyst Julian Serafini.

SAP shares fell by 0.4%, underperforming a gain of 1.4% in Germany’s 30-share DAX index of blue-chip stocks.

SAP, founded by a group of IBM alumni in the 1970s, recently ended its dual leadership structure with co-CEO Jennifer Morgan leaving, bringing an end to the six-month tenure of the first woman to head a top-tier German listed company.

American Morgan was responsible for SAP’s cloud operations. Christian Klein, a protege of co-founder and Chairman Hasso Plattner, is now sole CEO of the company based in the southwest German town of Walldorf.


SAP said it had initiated action to address the shortcomings it has identified in relation to contractually agreed or statutory security standards. This work would be completed to a large extent in the second quarter.

“SAP is informing affected customers – approximately 9% of SAP’s 440,000 customers - and providing full product and customer support,” the company said.

“The expenses related to the remediation are expected to be covered within the range of SAP’s current 2020 financial outlook.”

The products affected range from human resources to travel and expenses management, sales and analytics. Gartner analyst Christian Hestermann estimated that the remedial measures would affect the bulk of SAP’s cloud customer base.

SAP also named a new top security team, appointing Tim McNight as Chief Security Officer, Richard Puckett as Chief Information Security Officer and John Coovert as Global Head of Physical Security.

It has opened a new “Cyber Fusion Center” in Newtown Square, PA, as a hub for its global security operations.

The company denied that the security measures were taken in response to a specific hacking incident.

Asked specifically whether there was any link to the exploits of a group of suspected Chinese cyber-spies known as “Cloud Hopper” that penetrated the IT systems of several large companies, a spokeswoman said: “None whatsoever.”

Additional reporting by Jack Stubbs; editing by David Evans