Gov’t. Warning: SAP and Oracle ERP Systems Vulnerable to Hackers

A new warning from the Dept. of Homeland Security is alerting users of Oracle and SAP ERP systems that they are vulnerable to hacks, data breaches and the theft of valuable information in attacks launched by offshore actors – both private and state-sponsored. Based on analyses from security firms Digital Shadows and Onapsis following breaches affecting at least a dozen companies and two government agencies, DHS is warning there are security flaws in older versions of ERP software systems from the two developers that many users have not bothered to update and patch.

According to DHS, potentially thousands of ERP systems are affected.

Besides the pair of unnamed U.S. government agencies, businesses in the media, energy and finance sectors have been already hit. Data thieves are able to access highly sensitive financial information, manufacturing secrets, employee and customer data including things such as credit card and

Social Security numbers stored in related systems such as HR and CRM that often are tied to ERP.

Hacker Focus

Many of the ERP-based security risks go back well over a decade, to the earliest days of the 21st century. But the report reveals a new level of focus on the software by hackers, cyber criminals and even government agencies who may just be realizing what a treasure trove of data the systems hold.

The CEO of Onapsis, Mariano Nunez, told the Reuters news service that “These attackers are ready to exploit years-old risks that give them full access to SAP and Oracle systems without being detected. The urgency level among chief security officers and CEOs should be far higher.”

Oracle didn’t comment on the DHS alert and SAP merely issued a statement reminding users to implement security patches when they are released each month.

The problem is that, for users of older systems, there is some justifiable concern that while the fixes may close security holes they might also impair the smooth functioning of their ERP software system.

Not the First

Amazingly, this isn’t the first time that ERP system users have been warned that they are under threat.

As far back as 2016, DHS warned that dozens of legacy SAP systems were being targeted by Chinese hackers’ intent on exploiting out-of-date software still used by dozens of companies. Onapsis uncovered that vulnerability, as well. But while that alert had relatively narrow implications for business, the new alarm covers 17,000 identified SAP and Oracle installations at more than 3,000 companies, universities and government agencies.

Although Washington did not name specific companies, journalists covering the issue say that the information they have seen reveals that many of the largest and best-known businesses in America and around the world are affected.

In the meantime, Digital Shadows uncovered the reality that Russian and Chinese hackers have launched forums on the “dark web” on how to exploit SAP and Oracle vulnerabilities. As well, these same hackers have been caught eavesdropping on discussion boards where legitimate third-party tech contractors share work tips, reveal where security flaws exist and talk about ways to fix them.

More Data, More Risks

What is startling to me as an attorney who drafts and negotiates ERP software system contracts is that more than 10,000 servers are running programs that are incorrectly configured even though one of our jobs is to specify in detail how the developer and integrator will set up an ERP project. This could subject them to direct attacks using well-known and previously-identified SAP or Oracle glitches.

There are more than 4,000 known problems in SAP software and some 5,000 in Oracle software, primarily in older systems that users think it would not be economical to correct.

Worse, as more ERP systems are tied to other business functions and moved to the cloud, the risks are increasing exponentially. Because few attacks on internal systems are publicly disclosed, the problem remains overlooked or ignored by senior IT and C-suite executives.

Likewise, as Artificial Intelligence and Internet of Things developers begin marketing their enhancements to legacy, about-to-be upgraded and new ERP systems, the risks are increasing. As I wrote on Dec. 14, 2018, the security features currently installed in both AI and the IoT are not sufficient to protect an ERP system.


For ERP users, it is increasingly important to install security patches as they are issued by developers. And developers need to work with customers to ensure that a fix isn’t going to have a negative effect on the functioning of ERP systems.

Especially for users, it is a good time to review the ERP contract to understand what you are required to do and what the developer and integrator are liable for ensuring to help keep the ERP system as safe as possible from hackers.

As I – and many others – have said, what can get hacked and stolen will get hacked and stolen. So much sensitive data and business information is stored inside ERP systems, they are a ripe target for both industrial espionage and just plain mischief. If you have questions about your system and what its contract says and means, be sure to contact an experienced ERP attorney. Too much is at stake to simply brush this aside as another government warning.