NetSuite Data Archiving: Protecting ERP Data from Breaches and Misconfigurations

Apr 30
5 min read

NetSuite is a powerful ERP platform. Businesses use it to manage finance, supply chains, and operations — all in one place. But recent findings reveal a serious problem: thousands of NetSuite customers may be unknowingly exposing sensitive data to unauthenticated users.

AppOmni's Chief of SaaS Security Research, Aaron Costello, published a report with alarming findings. Several thousand NetSuite customers were unintentionally leaking data through externally facing stores on NetSuite SuiteCommerce or NetSuite Site Builder. The cause? Misconfigurations in access controls — specifically within Custom Record Types (CRTs). These misconfigurations let unauthorized users access sensitive information, including customer addresses and mobile phone numbers.

How Are These Breaches Occurring?

The vulnerabilities stem from how organizations configure NetSuite's APIs. NetSuite offers a range of access control settings, but organizations frequently misconfigure CRTs. CRTs store custom data and give businesses flexibility in how they control access — but many teams leave them set to "No Permission Required," which inadvertently opens the door to unauthenticated access.

Costello's report found several key issues:

Many NetSuite customers didn't know their instance included a default public-facing store. That store was exposing customer data from day one.
Misunderstood access control settings commonly exposed sensitive PII.
Misconfigured CRTs allow unauthorized users to access data through NetSuite's SuiteScript API. Attackers can exploit this to retrieve customer information — even when organizations believe their data is secure.

A flaw in NetSuite itself didn't cause these breaches. Misconfigurations in the platform's table-level and field-level access controls did. A common example: setting a field's Default Access Level to "None" feels like a secure choice. But if the Default Level for Search/Reporting is still set to "Edit," malicious actors can still pull that data via the API.

Key Trends in ERP Security Risks

NetSuite is not alone. Cloud-based ERP systems across the board face mounting security challenges.

1. API Exploitation More businesses rely on APIs to streamline operations. Attackers have taken notice. Misconfigured APIs drive over 80% of cloud platform data breaches.

2. Inadequate Access Controls Misconfigured access controls now rank among the most common causes of data breaches in ERP systems like NetSuite and Salesforce. Many businesses simply don't have a clear picture of how permissions work — and that gap leaves sensitive data exposed.

3. Third-Party Risks Organizations often connect ERP systems to other tools and platforms. Each integration expands the attack surface. Poorly secured connections create backdoors into otherwise protected systems.

Person in blue clothes runs with a briefcase, escaping from a laptop screen. Papers and a lock icon depict cyber activity.

Why NetSuite Data Archiving and On-Prem Backup Are Crucial

Cloud ERP environments grow more complex every year. Cyber threats keep pace. Together, these trends make NetSuite data archiving and on-prem backup essential parts of any data security strategy.

1. Complete Control Over Your Data On-prem solutions like those offered by Sesame Software give organizations full control over their data. Instead of relying on a cloud vendor's access controls, businesses can enforce their own — and pair that with a structured NetSuite data archiving strategy. By moving sensitive historical records out of the live environment entirely, you eliminate a major class of exposure risk.

2. Reduced Exposure to Misconfigurations Third-party vendors regularly update and modify cloud-based systems. That creates ongoing opportunities for misconfigurations to slip through. With an on-prem solution, businesses control how data is stored, accessed, backed up, and archived. No vendor introduces unexpected changes.

3. Protection from API Vulnerabilities APIs are critical for ERP operations — but they're also a significant attack vector. On-prem solutions reduce reliance on external APIs. Archiving NetSuite data into a controlled, off-system destination limits how much sensitive information is ever reachable through API-accessible live records.

4. Regulatory Compliance Finance, healthcare, and other regulated industries face strict data retention and security requirements. NetSuite data archiving helps meet those requirements. Your archiving strategy preserves sensitive records in a controlled environment — one that doesn't depend on public-facing cloud access.

Steps to Prevent NetSuite Data Leaks

Organizations can take concrete steps today to reduce their exposure.

Review CRT Access Controls Audit your existing CRTs. Ensure that sensitive data is properly restricted. If a CRT must be public, use role-based permissions to lock down sensitive fields.

Disable Unnecessary Public Sites Many organizations have unintentionally deployed public-facing SuiteCommerce websites. If you don't need them, take them offline. They represent unnecessary risk.

Implement a NetSuite Data Archiving Strategy Regularly move historical and inactive records out of your live NetSuite environment into a secure archive. Fewer live records means a smaller attack surface — and less exposure if a misconfiguration occurs.

Monitor and Audit API Usage Regularly Review API usage and access logs for suspicious activity on a consistent schedule. If you suspect a breach, administrators can request transaction logs directly from NetSuite support.

Train Administrators on Best Practices Most misconfigurations come from a knowledge gap, not negligence. Training your administrative team — including on NetSuite data archiving best practices — can significantly reduce the risk of human error.

Cloud ERP systems like NetSuite continue to grow in adoption — and so do the risks that come with them. Misconfigurations and API exploitation pose real, ongoing threats. Cloud solutions offer real benefits, but those benefits carry new responsibilities. Businesses that build strong data security strategies, including proactive NetSuite data archiving, position themselves far ahead of evolving threats. Moving historical records out of the live environment and into a secure, controlled destination dramatically reduces your attack surface.

Next Steps

Explore NetSuite Data Export & Archival → Move historical records out of your live environment into a secure, queryable archive — with full record count reconciliation and zero data loss.
Talk to a NetSuite Data Expert → Schedule a demo and build a security and archiving strategy tailored to your business.

NetSuite Data Security & Archiving FAQ

What is NetSuite data archiving and how does it improve security?

NetSuite data archiving moves historical or inactive records from your live environment into secure, long-term storage. From a security standpoint, archiving shrinks the amount of sensitive data in your active system. Less live data means a smaller blast radius if a misconfiguration or API exploit occurs. Data that isn't in your live environment can't be accessed through a misconfigured CRT or public-facing SuiteCommerce store.

How do NetSuite misconfigurations lead to data breaches?

Misconfigurations — particularly around CRTs and field-level access settings — can expose sensitive data to unauthenticated users through NetSuite's APIs. A common example: setting a field's Default Access Level to "None" while leaving the Default Level for Search/Reporting set to "Edit." That setting still lets attackers retrieve data via the API. Teams often make these errors unintentionally, and without regular auditing, they go unnoticed.

What are NetSuite data archiving best practices for security-conscious organizations?

Key NetSuite data archiving best practices include: archiving sensitive historical records on a regular schedule; using a solution that performs full record count reconciliation to confirm no data disappears; storing archives in an on-prem or privately controlled destination; implementing role-based access controls on your archive; and pairing your archiving program with regular audits of CRT permissions and API access logs in your live environment.

Can Sesame Software help with NetSuite data archiving and retention?

Yes. Sesame Software provides NetSuite data archiving and retention solutions for organizations across finance, healthcare, manufacturing, and other regulated industries. Our platform moves historical NetSuite records into your chosen destination — on-prem, cloud, or hybrid — with full record count reconciliation and zero data loss. We work with your team to align the archiving strategy with your specific regulatory and security requirements.

Why should I consider on-prem solutions for NetSuite backup and archiving?

On-prem solutions give your organization complete control over where your data lives, who can access it, and how it's secured. None of that is fully guaranteed in a cloud-only environment. For businesses in regulated industries — or those that have experienced ERP misconfigurations — on-prem NetSuite data archiving adds a critical layer of protection. It reduces dependence on vendor-managed access controls and limits API-based exposure.

Found this post helpful? Share it with your network using the links below.