SAP HCM Security

What is SAP HCM?

The widely used SAP Human Capital Management (HCM) system can also be delivered as a single module of SAP HR for the SAP ECC system. SAP HCM is an element of SAP Business Suite, where critical data is typically stored and processed. In the basis of SAP HCM there are components that serve to automate and optimize different processes and functions, some of them are responsible for managing:

  • Organization and staff structure;
  • Personnel records;
  • Time planning and tracking;
  • Payroll;
  • Employee benefits;

SAP HCM (SAP HR) Security Risks

There are multiple risks related to SAP CRM systems. Some of them are listed below.

Salary / Wage data theft (Espionage)

With access to SAP HR system, an attacker can compromise information of the most qualified and competent employees. For example, if the salaries of the top executives are revealed, competing HR departments can use this data to entice those employees away by making irresistible job offers.

Identity theft (Espionage)

SAP HR system stores confidential personal information, such as social security numbers, which can be acquired by means of PA20 transaction. Depending on the country, other personal identifiers and sensitive data can be critical:


  • SSN – Social Security Number
  • Government forms (I-9, W2, and other)
  • Driver license numbers


  • SGB – Social Security Number, Social Welfare Code


  • CPF – Taxpayer Identification Number (Cadastro de Pessoa Física)

For example, the U.S. Department of Energy has been recently hacked, which resulted in a leakage of the personal data of 104,000 employees. As was discovered later, their HR system was directly accessible via the Internet.

Regulatory rules violation (Sabotage)

An attacker can compromise the data that must be safely stored in accordance with different regulatory requirements (HIPPA, SOX, Safe Harbor, etc.). Another scenario is misconfiguring the system so that the data storage would not meet the standards. In this case, the company will be fined.

Salary data: unauthorized modifications (Fraud)

With access to SAP HR system, insiders can change their wages. Since a direct change can be easily detected, the risk lies in changing the number of additional working hours to be processed, which in the end affects the wage. In such case, the fraud is extremely difficult to detect.

Delayed Salary payout (Sabotage)

A denial of service attack on the HR system executed on the payday, for example, can cause delays in salary payout, the growth of dissatisfaction among the employees, and negatively impact their productivity. If this attack is executed with certain frequency, in a difficult economic or geopolitical situation, it can even lead to strikes.

SAP HCM Vulnerabilities

SAP HCM system uses SAP NetWeaver Application Server ABAP (AS ABAP) as its main platform. Thus it is potentially exposed to all vulnerabilities of the platform, which total to more than a thousand. Moreover, different SAP HCM modules contain up to 50 specific vulnerabilities.

How can our software help to ensure SAP CRM Security?

ERPScan Smart Cybersecurity Platform for SAP has a wide range of checks designed to discover security issues specific to SAP CRM Systems. The solution’s leading position in the field has been confirmed by multiple awards. This is the only SAP SE certified solution on the market able to identify, analyze, and remediate all SAP security issues, and to provide powerful protection against cyber attacks and fraud. It embraces all three areas of SAP security: vulnerability management, source code review for custom programs and segregation of duties (SoD).