SAP employee finds stolen SSD with personal data on eBay
An eBay listing uncovers a stolen SAP SSD containing the personal information of employees, raising concerns about data security.
Sketchy deals on online marketplaces like eBay are a common occurrence. Counterfeit, stolen, broken, or falsely advertised items sold by third parties are no surprise. However, stumbling upon a stolen possession can be shocking, as one SAP employee recently discovered.
According to a report from The Register, an employee at the software giant SAP found an SSD for sale on eBay that was one of four recently stolen from SAP data centres in Germany's Baden-Württemberg. The unnamed sources close to the incident revealed that the device contained the personal records of dozens of workers.
The Register stated, "One of the disks later turned up on eBay and was bought by an SAP employee. They were able to identify that it belonged to SAP. The disk contained personal records of 100 or more SAP employees."
Allegedly, the data centres housing the stolen SSDs lacked sufficient physical checks, enabling someone to relocate the devices from a secure location to a less secure building within the campus, as per The Register's sources.
SAP is presently investigating the matter and has yet to locate the other three stolen SSDs. According to The Register, SAP European data centres have experienced five burglaries in the past two years.
When Ars Technica reached out to SAP regarding the report, the company provided the following statement, which was also shared with The Register:
"SAP takes data security very seriously. Please understand that while we don’t comment on internal investigations, we can confirm we currently have no evidence suggesting that confidential customer data or PII (personally identifiable information) has been taken from the company via these disks or otherwise."
The circumstances surrounding how the employee identified the storage device on eBay, determined it belonged to SAP, and validated this information remain unclear. It is possible that the employee, who may have been actively searching for the stolen property, came across the listing fortuitously.
An SAP employee discovered a stolen SSD from SAP data centres listed on eBay, containing the personal information of numerous employees.
The lack of physical checks in the data centres allowed the theft and relocation of the devices.
SAP is investigating the incident, with three stolen SSDs still missing.