Recently, a leading e-commerce company in Asia experienced one of the largest data breaches in more than a decade. Nearly 34 million customer records were exposed. The most striking part of this incident wasn’t just the size; it was how the breach happened. Early investigations pointed toward the misuse of an internal credential belonging to a former employee. While no payment and login credentials were compromised, the leaked personal data was enough to enable identity theft, phishing, impersonation and targeted social engineering attacks.
Recently, a leading e-commerce company in South Korea/Asia experienced one of the largest data breaches in more than a decade. Nearly 34 million customer records were exposed, including names, email addresses, phone numbers, addresses and order histories. While no payment and login credentials were compromised, the leaked personal data was enough to enable identity theft, phishing, impersonation and targeted social engineering attacks.
The most striking part of this incident wasn’t just the size; it was how the breach happened. Early investigations pointed toward the misuse of an internal credential belonging to a former employee. With that single oversight, unauthorised access continued quietly for nearly five months before it was detected.
This incident occurred just because an internal credential belonging to a former employee was still active, giving access to a large amount of Personally Identifiable Information (PII).
Similar breaches have occurred in other companies around the world.
This is a powerful reminder that modern data privacy compliance is not only about meeting the regulatory requirements, or getting certified. It doesn’t always take sophisticated cyberattacks to cause damage. Often, these failures reflect problems with Governance, Risk & Compliance (GRC), and appropriate roles and authorisations; including inadequate access controls, gaps in accountability, weak internal processes and forgotten accounts.
Why do GRC and access breaches matter for SAP customers?
This incident exposes a simple truth to many SAP customers. The real danger is not the data itself, but who can access it. SAP landscapes are large, complex and highly integrated. They contain highly sensitive PII, including employee profiles, payroll histories, financial details, supplier data and customer records. All of this is essential to run the business – and the business can’t afford this data to be compromised.
As business operations grow, and SAP landscapes evolve, data increases. User access grows over time, and often introduces risks no one intended.
1. Roles and authorisations grow quietly
As teams grow, job functions change, projects begin and end, and access permissions accumulate. Some of these accesses are never removed. Over time, access in SAP grows the same way clutter grows in a house. No one puts them there on purpose, but a year passes and suddenly, the cupboards are full of things no one remembers keeping.
2. Business users can see too much data
The way SAP roles and authorisations are designed has a huge impact on how easy it is to control access. Some organisations design large and complex roles that make it difficult for business users to understand what access someone actually has. Even when work being done is legitimate, this access ends up giving users far more visibility into sensitive PII than their role requires.
3. Dormant accounts remain active too long
Most SAP environments have ‘inactive’ developers, integration partners and IT/Basis teams that still work after they should have been deactivated. These accounts often retain access and have visibility into sensitive PII data, and in many cases, no one is actively responsible for them. This is exactly what led to the data breach incident in Asia.
4. Sensitive PII spreads across multiple systems
Production data is often copied into development, QA, testing environments to support training or troubleshooting. The copies frequently include PII, and are often created without masking or anonymisation.
From 2025, global data privacy regulators make no distinction between Production and non-production systems. If PII is stored or processed, even for testing, it is subject to the same legal and ethical obligations. Read this blog by Paul Hammersley to understand what your SAP support contract really expects from your test systems.
5. The picture you thought you knew
Many organisations believe they know who has access. As they run a proper review, they find roles that are no longer needed, accounts that have been inactive and access that might have survived after job changes. Without proper monitoring processes or strong GRC reviews, access control drifts much more quickly that anyone realises. By then, the damage is done, and logs become evidence, not protection.
The lesson is not that organisations store too much data, but the data is only as safe as the controls and access around it.
How can you strengthen SAP data privacy and access governance?
The incident in Asia was caused by two main failures:
- A credential that stayed active too long
- Data that could be freely accessed through that credential
SAP customers can prevent this by reducing who can see sensitive PII, where it appears, and how access is monitored. This requires deliberate controls; not just checking the boxes to get certified by the regulators.
A strong SAP privacy and data governance strategy includes:
- Reviewing user access regularly to remove inactive, outdated roles and unnecessary access
- Designing SAP roles in a simpler, more functional way to manage control and review
- Strengthening GRC processes so user access stays aligned with job functions and responsibilities
- Minimising how PII is visible by redacting, scrambling or masking data that is no longer required in its full form
- Ensuring non-production systems do not contain real PII to reduce exposure
- Monitoring activity continuously, to detect unusual behaviour early.
This is where EPI-USE Labs’ solutions, along with Partners like Soterion, work together to help prevent internal-access incidents from becoming large-scale breaches.
Data Secure is an SAP-certified solution that scrambles sensitive PII in SAP non-production environments. This ensures that non-production systems contain masked or anonymised data instead of real PII. Even if a credential is misused, the information exposed is not personally identifiable.
Data Redact reduces the amount of sensitive data visible across the landscape by using a rules-based system that separates the sensitive PII from legitimate business data that needs to remain for audit purposes. By redacting and masking PII that no longer need to be retained in their full form, it reduces the attack surface without impacting business continuity.
EPI-USE Labs and our Partner Soterion provide agile GRC solutions to quickly identify and rectify access control issues throughout your SAP estate. Soterion solutions enable clear and efficient user access reviews, highlight Segregation of Duties (SoD) conflicts, simplify role clean-up, and empower business owners to understand user access risks. This closes the loop between data protection and access control, ensuring that even if data exists, only the right people can reach it. Read more on how Soterion helps organisations strengthen SAP access governance here.
Don’t wait! Act now to manage your GRC
Improving SAP data privacy and data governance is not a project to postpone. Act now to put measures in place before the next incident happens, not after the fact.
With EPI-USE Labs Data Privacy Suite, and our Partner Soterion, you can tighten access permission, reduce the amount of sensitive PII in your landscape, and ensure your organisation has the visibility it needs to stay secure and compliant.
Disclaimer: This article is for educational purposes only and does not represent or imply any affiliation with, or official information from, the organisation referenced in this or other reported incidents.
