, SecurityFocus 2007-03-22
Database and enterprise software firm Oracle filed a lawsuit on Thursday against German application maker SAP claiming that the European firm pilfered an enormous number of documents and software from Oracle's customer-only support systems.
The lawsuit, filed after the close of SAP's European business day, alleged that the German software maker and its subsidiaries used the usernames and passwords of former--and soon-to-be-former--Oracle customers to download more than 10,000 support documents between September 2006 and January 2007. In some cases, the activity appeared as a "systematic pattern of sweeping" Oracle's database just days before a customer's support contract was about to expire, downloading information for products that the customer did not have deployed.
Oracle traced the suspect activity to the Texas-based offices of customer support subsidiary SAP TN (formerly, TomorrowNow), which SAP purchased in January 2005. The company had provided support services for customers of PeopleSoft, an enterprise software maker that Oracle acquired earlier the same month. In its court filing, Oracle charged that SAP TN used the access to Oracle's system to clone its support database and offer discounted services to former Oracle customers.
"In short, to try to 'keep the pressure on Oracle,' SAP has been engaged in a systematic program of unfair, unlawful, and deceptive business practices that continues to this day," Oracle stated in the filing. "Through its legitimate and illegal business practices, SAP has taken Oracle's Software and Support Materials and apparently used them to insinuate itself into Oracle's customer base, and to attempt to convert these customers to SAP software applications."
SAP was still analyzing the claims in the lawsuit and could not comment on the specific allegations, a company spokesperson stated in an e-mail to SecurityFocus.
"We have just been notified of the lawsuit, and have taken note of Oracle's news release and what is on its Web site," said spokesman Steve Bauer. "We are still reviewing the matter, and, until we have a chance to study the allegations, SAP will follow is standard policy of not commenting on pending litigation."
Attacks on information systems for competitive intelligence has increasingly become a problem. In 2005, government and corporate information-security specialists detected a number of targeted attacks aimed at fooling knowledgeable employees. The number of attacks, many appearing to come from China, has only risen in the past 18 months.
Oracle and SAP have had a knock-down rivalry brewing ever since Oracle bought PeopleSoft and became a serious competitor to SAP, said Judith Hurwitz, president of analyst firm Hurwitz & Associates.
"Clearly these guys are going after each other pretty ferociously," Hurwitz said. "For SAP to buy a company to undercut Oracle's maintenance pricing ... It clearly was to get access and knowledge of Oracle's customer base, that is clearly why SAP bought them."
Oracle's lawsuit alleges that the purchase did not deliver enough. The 37-employee SAP TN focused mainly on sales and not on technical development, the filing claims. Instead, the company allegedly used the usernames and passwords of customers that the firm had lured away from Oracle to download a variety of technical materials.
"SAP employees used the log-in IDs of multiple customers, combined with phony user log-in information, to gain access to Oracle's system under false pretexts," Oracle stated in the filing. "Employing these techniques, SAP users effectively swept much of the contents of Oracle's system onto SAP's servers."
In late 2006, Oracle noticed "huge, unexplained spikes" in the number of its customers that had kept searching for more information after receiving the initial results of a search. Moreover, the renewed search attempts occurred within seconds of each other, suggesting that the actions had been automated, not performed by a human.
"Oracle soon discovered that many of these 'customers' had taken massive quantities of Software and Support Materials beyond their license rights, over and over again," the court filing states.
The conclusion caused Oracle to embark on an investigation into what was happening. The company allegedly found that the unauthorized access to its network originated from SAP's computers, not from the customers whose credentials were used. Credentials assigned to electronics maker Honeywell, pharmaceutical giant Merck and industrial technology firm SPX were all used to access Oracle's system, the software company stated.
Oracle's lawsuit repeatedly points to wording in software and service license agreements that stipulate that the customer support material is proprietary and only for use by the firm's customers.
The lawsuit makes eleven claims under the Computer Fraud and Abuse Act, economic espionage laws and regulations against unfair competition. The court filing does not specify what damages or penalties are sought by Oracle.