The service sector union Ver.di has made public an internal data leak at SAP. Sensitive information from the workforce is said to have been widely accessible. Credit: Peter Sayer/IDG With the victory in the SAP works council elections behind them, the unions are taking a confrontational stance with the software company. The Ver.di works group says it has discovered a data leak in SAP’s internal systems and is now demanding a full explanation. The leak affects the “SAP Interactive Broadcast” online service, which was developed internally and is only accessible to SAP employees and is used for employee and works council meetings. In addition to audio and video information, the service also offers the option of asking questions and voting on them, it said. These functions should be anonymous by default. However, according to the Ver.di group in the SAP Works Council, all questions and the voting behavior on them could be clearly assigned to individual persons over the years. In addition, this information was automatically uploaded to all computers participating in the meetings and was thus effectively accessible to the entire workforce. “Traceability was trivial to establish. An experienced programmer could spot the error at first glance,” states Andreas Hahn, a member of the Ver.di works council. Union representatives report that the company stopped the traceability promptly after Ver.di’s internal works group reported the matter to the internal cyber security department and recently communicated the incident internally to the workforce. However, many questions still remain unanswered. Exposing employees violates democratic principles “The employer must fully clarify the data leak incident,” said Christine Muhr, SAP corporate counsel for Ver.di. “Personal data protection must be safeguarded with the highest priority, as must the vested right to freedom of expression in companies. Where this is not guaranteed, employees effectively become people under surveillance. That would be a violation of democratic principles.” Trade unionist Hahn demands that SAP “provide full transparency to the workforce and co-determination bodies about how long this traceability was already possible and which internal events were affected.” In addition, any data that may still exist would have to be deleted in a verifiable manner and the technical details about how the service works would have to be shared with the worker representatives. SAP says data protection is a top priority SAP acknowledges that there was a privacy issue. “In this case, the alertness of a colleague enabled a theoretically possible circumvention of our security measures to be uncovered and immediately remedied,” the software company said in a statement. “Data protection is a top priority for SAP, and we respect the privacy of every individual.” Internal tools are regularly checked and kept up to date, it said. As part of this, the team members also review the relevant technical security requirements. Translated from an article published by CIO.com’s German sister publication, Computerwoche: “Hat SAP seine Mitarbeiter ausspioniert?“ Related content how-to How to create an effective business continuity plan A business continuity plan outlines procedures and instructions an organization must follow in the face of disaster, whether fire, flood, or cyberattack. Here’s how to create a plan that gives your business the best chance of surviving such an By Mary K. Pratt, Ed Tittel, Kim Lindros Dec 07, 2023 11 mins Small and Medium Business IT Skills Backup and Recovery interview WestRock CIDO Amir Kazmi on building resiliency Multidimensional resiliency is vital to setting yourself, your teams, and your organization up for success. Kazmi sets the tone at WestRock by recognizing the pace of change, instilling a learning and growth mindset, and being transparent with his te By Dan Roberts Dec 07, 2023 8 mins IT Strategy Staff Management IT Leadership brandpost Sponsored by FPT Software Time for New Partnership Paradigms to Be Future-fit By Veronica Lew Dec 06, 2023 5 mins Vendors and Providers brandpost Sponsored by BMC Why CIOs should prioritize AIOps in 2024 AIOps empowers IT to manage services by incorporating AI/ML into operations. By Jeff Miller Dec 06, 2023 3 mins IT Leadership Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe