Oracle Corp. and SAP AG could soon be squaring off in the courtroom as a result of a lawsuit filed by Oracle against its fiercest competitor that alleges corporate theft by the German-based ERP company.
The claim, filed yesterday in the U.S. District Court for Northern California, alleges that SAP and its wholly owned subsidiary, TomorrowNow (SAP TN), unlawfully downloaded thousands of proprietary software products and other confidential material from Customer Connections, Oracle's customer support Web site. Oracle is seeking an injunction against SAP, as well as unspecified compensatory and punitive damages.
According to the lawsuit, an IP address traced to a Bryan, TX, SAP branch office — and the home of TomorrowNow — was the source of a series of systematic sweeps of Oracle's Web site that resulted in more than 10,000 illicit downloads of proprietary software patches, bug fixes, and support materials across several Oracle product lines. Under the Computer Fraud and Abuse Act and copyright infringement claims, Oracle seeks to stop SAP's alleged intrusion and theft; to prevent SAP from using any proprietary Oracle materials that were illegally acquired; and to recover damages and attorney fees. The lawsuit states that the monetary damages are to be determined during the anticipated trial. Oracle claims that it has invested billions of dollars in R&D and engineering for software updates and fixes covered by the suit.
The lawsuit casts a light on SAP's Safe Passage program, of which TomorrowNow was the first cornerstone. Shortly after Oracle acquired PeopleSoft in December 2004, SAP made what is generally acknowledged as a countermove by acquiring TomorrowNow, until then an independent provider of support services to PeopleSoft customers. With TomorrowNow as a subsidiary, SAP in January 2005 unveiled its Safe Passage program, which offered support to customers of the acquired PeopleSoft products at as little as 50% of Oracle's rates. Safe Passage also created a migration path to SAP for users of other legacy applications that Oracle had acquired. The software at issue in the current lawsuit includes applications acquired from Oracle's purchases of JD Edwards, PeopleSoft, and Siebel Systems.
Oracle alleges that the common denominator among the downloads under suspicion is that all of the customer login IDs associated with the access to Oracle Web site were those of companies that were defecting from Oracle-supplied support to SAP TN's support services. Among the manufacturing customers whose login credentials were supposedly used by SAP are Honeywell International, Merck & Co., Abbott Laboratories, Smithfield Foods, and Metro Machine Corp. — however, Oracle does not assert any wrongdoing on the part of these or any other end users in this case. Nowhere in the lawsuit does Oracle seek to explain how SAP allegedly gained the login credentials of these customers.
SAP, which is still reviewing the lawsuit, declined to address specific allegations. The company issued an updated statement noting that "SAP will not comment other than to make it clear to our customers, prospects, investors, employees, and partners that SAP will aggressively defend against the claims made by Oracle in the lawsuit. SAP will remain focused on delivering products and services — including those from TomorrowNow — that ensure success for our customers."
According to SAP's Web site, more than 390 customers have signed up for SAP's Safe Passage program since 2005. In its lawsuit, Oracle contends that SAP used the log-in information of multiple companies to gain access to the Customer Connections Web site, downloading sometimes thousands of files at a time. Honeywell, for example, historically conducted about 20 downloads of software and support materials per month, the suit claims. "Then, after switching to SAP TN, a user employing Honeywell's log-in ID downloaded over 7,000 software and support materials in less than two weeks in January 2007," the lawsuit states.
These spikes in download activity across a number of departing Oracle services customers began to appear last November, according to Oracle. While the log-ins were those of Oracle customers, the company claims that names and phone numbers — also required information for accessing the support database — were falsified to mask the true identity of the individual. Oracle's allegations have shadings of the recent scandal at HP, which involved claims of pretexting — a practice by which a person presents himself as another individual to get access to confidential or proprietary data.
According to a report issued by The 451 Group, an independent IT analyst firm, "If someone illegally accessed Oracle's secure site, then action needs to be taken. And it makes sense that Oracle is simply defending against a company looking to undercut a major revenue stream by offering inexpensive support," the report notes. "Discerning whether SAP or any non-Oracle entity 'pretexted' Oracle users and accessed its IP should be straightforward. Determining how much IP SAP might have gathered — and whether it is proprietary — may be more difficult," the report states.
The idea that Oracle would allow its customers access to its source code, however, is farfetched, said Martin Schneider, 451 Group's senior analyst for enterprise software.
"The real value of what was swept from the customer site is not as high as Oracle is claiming," Schneider said in an interview with Managing Automation. "It was patches and bug fixes, stuff that they freely give away... It's not like they took source code."
While there are proprietary instruction manuals copyrighted and owned by Oracle on the customer support site, when it comes to understanding the secrets of the code, a hacker wouldn't be able to get much, Schneider explained. "Oracle is not stupid... There's a lot of protection around source code management," he said.