Contact us today.

Subscribe me to your mailing list

SAP HCM Security

What is SAP HCM?

The widely used SAP Human Capital Management (HCM) system can also be delivered as a single module of SAP HR for a SAP ECC system. SAP HCM is an element of SAP Business Suite, where critical data is typically stored and processed. In the basis SAP HCM are components that serve to automate and optimize different processes and functions, some of them responsible for managing:

  • Organization and staff structure;
  • Personnel records;
  • Time planning and tracking;
  • Payroll;
  • Employee benefits;

SAP HCM (SAP HR) Security Risks

There are multiple risks related to SAP CRM systems. Some of them are listed below.

Salary / Wage data theft (Espionage)

Having access to SAP HR system an attacker can compromise information of the most qualified and competent employees. For example, if a salary of the top executives was revealed, competing HR departments can use this data to to entice those employees by making irresistible job offers.

Identity theft (Espionage)

SAP HR system stores confidential personal information, such as social security numbers. The latter, by the way, can be acquired by means of PA20 transaction. Depending on the country, other personal identifiers and sensitive data could be critical:


  • SSN – Social Security Number
  • Government forms (I-9, W2, and other)
  • Driver license numbers


  • SGB – social security number, Social Welfare code


  • CPF – taxpayer identification number (Cadastro de Pessoa Física)

As an example, U.S. Department of Energy has been recently hacked, resulting from this was a leakage of personal data of 104,000 employees. As was discovered later, their HR system was directly accessible via the Internet.

Regulatory rules violation (Sabotage)

An attacker can compromise the data that must be safely stored in accordance with the regulatory requirements (HIPPA, SOX, Safe Harbor etc.). Another scenario is misconfiguring the system so that the data storage would not meet the standards. This way a company would have to pay fines.

Salary data: unauthorized modifications (Fraud)

Having access to SAP HR system, insiders can change their wages. Since the direct change can be easily detected, the risk lies in changing the number of additional working hours to be processed, which in the end affects the wage. In such a case the fraud is extremely difficult to detect.

Delayed Salary payout (Sabotage)

Denial of service attack against HR system, for example, if executed on the payday could lead to delays in salary payout, cause a growth of dissatisfaction among employees and in the long run negatively impact their productivity. If this attack is executed with certain frequency, in a difficult economic or geopolitical situation this can even lead to strikes.

SAP HCM Vulnerabilities

SAP HCM system uses SAP NetWeaver Application Server ABAP (AS ABAP) as a main platform, thus it is potentially exposed to all the vulnerabilities of the platform, which total to more than a thousand. Moreover, different SAP HCM modules contain up to 50 specific vulnerabilities.

How can our software be of help to ensure SAP CRM Security?

ERPScan Security Monitoring Suite for SAP contains a wide range of checks aimed to discover security issues specific to SAP CRM Systems. The solution’s leading position in the field has been confirmed by multiple awards. This is the only SAP SE-certified solution on the market to identify, analyze and remediate all SAP security issues and to enable powerful protection against cyber-attacks and fraud. It embraces all the three tiers of SAP security: vulnerability management, source code review for custom programs and segregation of duties (SoD).