[ISN] Oracle sues SAP on spying charges

From: InfoSec News (alerts@private)
Date: Thu Mar 22 2007 - 23:50:24 PST


By Dawn Kawamoto
Staff Writer, CNET News.com
March 22, 2007

Oracle announced Thursday that it has filed a lawsuit against archrival 
SAP, alleging the software giant hacked into Oracle's customer support 
center and downloaded copies of its proprietary software code.

The lawsuit, filed in the U.S. Federal District Court for Northern 
California, names SAP and its wholly owned subsidiary TomorrowNow as 
defendants. Among its claims, the lawsuit [1] (PDF) alleges SAP and 
TomorrowNow engaged in computer fraud and abuse, computer data access 
and fraud, and intentional interference with prospective economic 

SAP will not comment until it has had a chance to review the lawsuit, a 
spokesman said.

Oracle says that in late November it noticed an unusually heavy volume 
of download activity on Oracle's password-protected customer support and 
maintenance site for its PeopleSoft and J.D. Edwards customers.

Upon a review of the Customer Connection site, Oracle alleges that it 
found more than 10,000 illicit downloads in which customers with 
expired, or soon-to-expire, support and maintenance contracts had 
accessed the support and maintenance site. Oracle claims that one common 
thread among all of the customers with allegedly misappropriated 
customer IDs is that they were about to become, or had recently become, 
an SAP TomorrowNow customer.

"This systematic theft of Oracle's software and support materials did 
not originate from any actual customer location. Rather, the access 
originated from an Internet protocol (IP) address in Bryan, Texas, an 
SAP America branch office location and home of its wholly owned 
subsidiary SAP TN," the lawsuit alleges.

TomorrowNow, which SAP acquired in 2005, offers support and maintenance 
to PeopleSoft and J.D. Edwards customers. SAP and TomorrowNow launched a 
major marketing campaign to woo away customers, shortly after Oracle 
acquired its former rivals PeopleSoft and J.D. Edwards in 2005.

SAP employees allegedly used log-in IDs of multiple PeopleSoft and J.D. 
Edwards customers to access Oracle's Customer Connection system, but 
then supplied bogus e-mail addresses, user names and phone numbers.

Oracle is asking the court to issue a preliminary restraining order 
against SAP to limit access to its customer support site, as well as an 
order that would require the return of the alleged illicit customer 
support and maintenance documents.

The lawsuit alleges the misappropriated Customer Connection accounts 
were used to access software and support materials that went beyond the 
coverage in a customer's contract.

"Using one customer's credentials, SAP suddenly downloaded an average of 
over 1,800 items per day for four days straight, compared to that 
customer's normal downloads averaging 20 per month," the lawsuit 

Oracle and SAP are both familiar with wearing the shoe on the other 

In 1999, SAP filed a lawsuit against rival Siebel Systems alleging some 
of its trade secrets "mentally" went out the door when Siebel hired 27 
of SAP's key employees. The parties eventually settled the lawsuit the 
following year.

And in 2000, Oracle acknowledged it had hired private investigators to 
ferret out information on whether two research groups that supported 
Microsoft during its antitrust trial were actually funded by the 
software giant. The investigation firms reportedly tried to buy trash 
from the crews that cleaned the offices of the research firms.

[1] http://www.oracle.com/sapsuit/complaint.pdf

Visit the InfoSec News Security Bookstore

This archive was generated by hypermail 2.1.3 : Fri Mar 23 2007 - 00:05:58 PST