Did SAP spy on its employees, German union asks

With the victory in the SAP works council elections behind them, the unions are taking a confrontational stance with the software company. The Ver.di works group says it has discovered a data leak in SAP’s internal systems and is now demanding a full explanation.

The leak affects the “SAP Interactive Broadcast” online service, which was developed internally and is only accessible to SAP employees and is used for employee and works council meetings. In addition to audio and video information, the service also offers the option of asking questions and voting on them, it said. These functions should be anonymous by default.

However, according to the Ver.di group in the SAP Works Council, all questions and the voting behavior on them could be clearly assigned to individual persons over the years. In addition, this information was automatically uploaded to all computers participating in the meetings and was thus effectively accessible to the entire workforce. “Traceability was trivial to establish. An experienced programmer could spot the error at first glance,” states Andreas Hahn, a member of the Ver.di works council.

Union representatives report that the company stopped the traceability promptly after Ver.di’s internal works group reported the matter to the internal cyber security department and recently communicated the incident internally to the workforce. However, many questions still remain unanswered.

Exposing employees violates democratic principles

“The employer must fully clarify the data leak incident,” said Christine Muhr, SAP corporate counsel for Ver.di. “Personal data protection must be safeguarded with the highest priority, as must the vested right to freedom of expression in companies. Where this is not guaranteed, employees effectively become people under surveillance. That would be a violation of democratic principles.”

Trade unionist Hahn demands that SAP “provide full transparency to the workforce and co-determination bodies about how long this traceability was already possible and which internal events were affected.” In addition, any data that may still exist would have to be deleted in a verifiable manner and the technical details about how the service works would have to be shared with the worker representatives.

SAP says data protection is a top priority

SAP acknowledges that there was a privacy issue. “In this case, the alertness of a colleague enabled a theoretically possible circumvention of our security measures to be uncovered and immediately remedied,” the software company said in a statement. “Data protection is a top priority for SAP, and we respect the privacy of every individual.” Internal tools are regularly checked and kept up to date, it said. As part of this, the team members also review the relevant technical security requirements.

Translated from an article published by CIO.com’s German sister publication, Computerwoche: “Hat SAP seine Mitarbeiter ausspioniert?“