Oracle sues SAP; alleges 'corporate theft on a grand scale'

Oracle sues SAP; alleges 'corporate theft on a grand scale'

Summary: The war between Oracle and SAP is about to move beyond enterprise applications to the courtroom. Oracle said Wednesday that it has sued SAP "about corporate theft on a grand scale" seeking undisclosed damages.


The war between Oracle and SAP is about to move beyond enterprise applications to the courtroom.

Oracle said Wednesday that it has sued SAP "about corporate theft on a grand scale" seeking undisclosed damages. Oracle also argues that the theft formed the basis of SAP's "Safe Passage" program, which is designed to entice Oracle customers to switch to SAP. SAP won't comment until it has reviewed the complaint.

"We have just been notified of the lawsuit, and have taken note of the Oracle press release," said an SAP spokesman. "We are still reviewing the matter, and, until we have a chance to study the allegations, SAP will follow is standard policy of not commenting on pending litigation." 

According to the complaint, Oracle discovered in November "heavy download activity on Oracle's customer support Web site for PeopleSoft and J.D. Edwards products. The site contained information on program and software updates, patches and instructions. Oracle, however, alleges that software and technical support materials, which have limited download rights, were downloaded en masse from an IP address originating in Bryan, Texas, home of SAP's TomorrowNow (SAP TN) subsidiary, which offers support to PeopleSoft and J.D. Edwards customers.

"Oracle’s server logs have recorded access through this same IP address by computers labeled with SAP identifiers using SAP IP addresses," said Oracle, which noted that customers didn't partake in downloading. The lawsuit is just the latest volley in an ongoing war between SAP and Oracle.

The two parties increasingly take jabs at each other. And the fight has increasingly become one of collecting support and maintenance fees from technology buyers. Indeed, SAP bought TomorrowNow in 2005 partially as a way to convince Oracle customers to switch to SAP.

In the complaint Oracle said:

"Oracle brings this lawsuit after discovering that SAP is engaged in systematic, illegal access to – and taking from – Oracle’s computerized customer support systems. Through this scheme, SAP has stolen thousands of proprietary, copyrighted software products and other confidential materials that Oracle developed to service its own support customers. SAP gained repeated and unauthorized access, in many cases by use of pretextual customer log-in credentials, to Oracle’s proprietary, password-protected customer support website. From that website, SAP has copied and swept thousands of Oracle software products and other proprietary and confidential materials onto its own servers. As a result, SAP has compiled an illegal library of Oracle’s copyrighted software code and other materials. This storehouse of stolen Oracle intellectual property enables SAP to offer cut rate support services to customers who use Oracle software, and to attempt to lure them to SAP’s applications software platform and away from Oracle’s."

Oracle is seeking "to stop SAP’s illegal intrusions and theft, to prevent SAP from using the materials it has illegally acquired to compete with Oracle, and to recover damages and attorneys’ fees."

Oracle is alleging that SAP used the company's support documents to undercut pricing in an attempt to gain customers. Oracle claims it saw a spike in downloads in November and December of 2006 as SAP employees downloaded information.

From the complaint:

"SAP employees using the log-in credentials of Oracle customers with expired or soon-to-expire support rights had, in a matter of a few days or less, accessed and copied thousands of individual Software and Support Materials. For a significant number of these mass downloads, the users lacked any contractual right even to access, let alone copy, the Software and Support Materials. The downloads spanned every library in the Customer Connection support website. For example, using one customer’s credentials, SAP suddenly downloaded an average of over 1,800 items per day for four days straight (compared to that customer’s normal downloads averaging 20 per month). Other purported customers hit the Oracle site and harvested Software and Support Materials after they had cancelled all support with Oracle in favor of SAP TN. Moreover, these mass downloads captured Software and Support Materials that were clearly of no use to the “customers” in whose names they were taken. Indeed, the materials copied not only related to unlicensed products, but to entire Oracle product families that the customers had not licensed."
Apparently, the downloading continued into the new year. In January 2007, Oracle claims that SAP logged in as Honeywell International and accessed the company's support materials "in virtually every product library in every line of business."

Oracle continues:
"This copying went well beyond the products that Honeywell had licensed and to which it had authorized access. In other examples, users from SAP logged in using the credentials of recently departed customers, like Metro Machine Corp., and downloaded Software and Support Materials even after the customer had dropped its support rights with Oracle. Oracle has found many examples of similar activity. Across its entire library of Software and Support Materials in Customer Connection, Oracle to date has identified more than 10,000 unauthorized downloads of Software and Support Materials relating to hundreds of different software programs."

The techniques allegedly deployed by SAP's Tomorrow Now unit were also detailed.

"SAP employees used the log-in IDs of multiple customers, combined with phony user log-in information, to gain access to Oracle’s system under false pretexts. Employing these techniques, SAP users effectively swept much of the contents of Oracle’s system onto SAP’s servers. These “customer users” supplied user information (such as user name, email address, and phone number) that did not match the customer at all. In some cases, this user information did not match anything: it was fake. For example, some users logged in with the user names of “xx” “ss” “User” and “NULL.” Others used phony email addresses like “” and fake phone numbers such as “7777777777” and “123 456 7897.” In other cases, SAP blended log-in information from multiple customers with fake information. For example, one user name connected to an SAP IP address appears to have logged in using the credentials of seven different customers in a span of just 15 days – all from SAP computers in Bryan, Texas."

The common thread in these intrusions according to Oracle: All of the accounts accessed were about Oracle customers that became or were about to become SAP TomorrowNow customers.

"In the course of this investigation, Oracle discovered a pattern. Frequently, in the month before a customer’s Oracle support expired, a user purporting to be that customer, employing the customer’s log-in credentials, would access Oracle’s system and download large quantities of Software and Support Materials, including dozens, hundreds, or thousands of products beyond the scope of the specific customer’s licensed products and permitted access. Some of these apparent customer users even downloaded materials after their contractual support rights had expired."
"Oracle’s support servers have even received hits from URL addresses in the course of these unlawful downloads with SAP TN directly in the name (e.g. Indeed, for many of these downloads, Oracle noticed that SAP TN did not even bother to change the false user information from customer to customer when it logged in."

Oracle goes on to document the war between the database and applications giant and SAP for customers. The customer accounts allegedly accessed read like a who's who of corporate America.

Oracle has uncovered unlicensed downloads linked to SAP TN on behalf of numerous customers, including without limitation, Abbott Laboratories, Abitibi-Consolidated, Inc., Bear, Stearns & Co., Berri Limited, Border Foods, Caterpillar Elphinstone,Distribution & Auto Service, Fuelserv Limited, Grupo Costamex, Helzberg Diamonds, HerbertWaldman, Honeywell International, Interbrew UK, Laird Plastics, Merck & Co., Metro Machine Corp., Mortice Kern Systems, Inc., National Manufacturing, NGC Management Limited, OCE Technologies, B.V., Ronis, S.A., Smithfield Foods, SPX Corporation, Stora Enso, Texas Association of School Boards, VSM Group AB, and Yazaki North America.

If this lawsuit goes to trial, it will be interesting for another reason: Details about the cutthroat nature of the enterprise applications business, pricing practices, customer testimony and corporate espionage precedent are likely to emerge.

Topic: SAP

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Framed?

    This sounds more like a disgruntal employee trying to take down his own company. Armed with logins for your biggest competitor, why else would you use your own company network to download the files? Use a local coffee shop's wifi!
    • Not hardly...

      SAP did it, they are going to pay the price.
      • SAP isn't ever gonna pay a penny

        Oracle's security is easy to intrude, anybody can do it. They only have themselves to blame.
        Besides Larry Ellison is megalomaniac. - He still hungers to become the richest man the world. Also will never happen.
        • Hmmmm

          So if the door is unlocked it's ok to steal anything that's not nailed down? I don't think so. It looks to me like SAP got caught with their hands in the cookie jar up to their elbows. Just because you don't like Ellison (and what sane person does) doesn't mean that SAP has the right to steal the property of a competitor.
          • Hmmm...

            ... but if you had valuables that you left in plain view within reach of an open window, the court would not offer you much sympathy.

            In ways this does not look all that different from a careless homeowner moaning that their property has been nicked.
          • unfair competition

            Theft is theft. It doesn't matter if it was easy to steal or hard.
            Think about this situation the next time a hacker penetrates a hole in your company's security. It is the same thing. You left a window open. Someone chose to reach in and grab what wasn't theirs.
            In the case of the Oracle software, they had to obtain a password and accept an online agreement about fair use of the software. In your company's case, you setup a firewall that you thought was good enough. Both cases left a hole for people who are unscrupulous.
            Both situations also run up the cost of doing business.
            SAP's actions are bad for everyone.
          • RMS Smiling all around

            After all, the data wants to be free, right?
            Too Old For IT
          • WHAT

            so every shop owner should not be allowed to display their product and have a door available for cusomters to enter the building.

            and if you happen to see a shop with an open door, and products on display, its your "RIGHT" to enter and take those products,, !!! YOU MORON,,
          • silly

            It seems oracle lets paying customers download what they - its called marketing. Allowing custoemrs to educate themselves before buying more modules. It also keeps it simple for oracle - they dont have to classify each document, note , tip and technique by module whic would be crazy as so many things interlap. What oracle expects is that customers will not use this material to compete with them for customers. Guaraunteed this excessive downloading would not be a problem if the people doing the downloading werent competing with oracle for customers and using the collateral oracle created to do it
        • Larry Ellison is Megalomaniac? Offensive to Meglomaniacs!

          I know megalomaniacs that would be offended to be included in the same sentance as Larry Ellison.
          Too Old For IT
      • Oracle can't foresee the future?

        May the heads soon roll at SAP!

        But??aside from whether anyone at SAP broke or didn't break any signed agreements, or Website usage agreements??*one* parameter of judging whether "trade secrets" were stolen (or just that information was taken) is how well the information was protected and treated as "secret."

        If you keep your customer lists on a lobby desk, photocopying them is not seen as being as grave an offense as if you kept them under lock and key near a security camera, which the perp must have had had to breach. Your treatment of your data defines its value to you.

        If you don't proactively keep your information *secret* in at least a couple of possible ways??e.g., stating so in policy and contracts, background checks on employees, physical measures, cameras, passwords with tough standards, sign-out/in sheets, access audits??you only have data, not "trade secrets."

        The SAP employees were (apparently) entirely dishonest, but Oracle failed to foresee and forfend the obvious.
      • This is the same Oracle ...

        This is the same Oracle that used to root around in Microsoft's transh bins, right?
        Too Old For IT
  • Who's in charge of security at Oracle?

    I'm still amazed Oracle itself is telling everyone about such massive [b]unauthorized[/b] downloads without even trying to explain why their systems allowed them in the first place. If I understand correctly, [b]anyone[/b] can access their servers and download anything by just providing any kind of fake credentials. Hello?
    • Security defined.

      OK, go to your local store. You see items on the shelf for purchase. What's to keep you from taking something and walking out without paying for it? Same applies here. The data was stolen, period. That's against the law. DUH!
      • Not the same thing here

        We're talking about a wide open website here that allowed anonymous downloads. There was no security broken at all. Oracle might as well have put buckets of fruits on their sidewalk with a "help yourself" sign.
        • Not quite right, George

          Oracle didn't have a "help yourself" sign on the document site. The proper security might not have been in place, but SAP still knew they were accessing Oracle's intellectual property. If they claim otherwise, they're also insinuating their own stupidity on a grand scale.

          A closer analogy would be if Oracle placed buckets of fruit in their lobby and put a sign on them, "For our customers." SAP should know that this would not include them, because they hadn't purchased anything from Oracle.
          • SAP encourced their customers to download docs legally

            SAP encourced their customers to download docs legally; all of them. Here's a good read.
        • Theft's OK when it's easy?

          I live in NYC.

          I walk down the street where there are thousands of carts of fruit, racks of clothes,
          shelves of books, all FOR SALE on the sidewalk.

          Often, these goods are "protected" by a single (overweight, venerable) person who
          sits on a folding easy-chair and smokes cigars.

          Would George say such practices are invitations for me to take the displayed
          goods without paying?

          Could I use that as a defense if I took such things and found myself arrested?

          I find it amazing that responses to this case are so polarized. The vast majority of
          the responses are either, "I hate Oracle, so SAP should get off" or "SAP are thieving
          bastards who should be eviscerated."

          As someone who has no direct experience or interests in either company, I find it
          fascinating. The case really goes to the heart of "intellectual property" debates in
          so many ways.

          I know for certain that neither simple answer is correct.
          • It's not the same as taking fruit

            The accounts being used were from former Oracle customers who were entitled to download those documents. As for downloads from "User" or "Null", Oracle would need to prove beyond just their own server logs.

            As far as comparing this to taking fruit, they weren't taking it. It was the copying of publicly available data.
          • Red Herrings and EULAs

            <<The accounts being used were from former Oracle customers who were entitled
            to download those documents.>>

            Well, not exactly, according to Oracle...

            They claim that customers are only "entitled" to download documents/software
            pertaining to the products that they purchased/licensed.

            In other words, any given customer would have had to buy every single product
            Oracle sells in order to be "entitled" to download everything on the support site.

            What I think is really at issue is "how binding are end-user agreements?"

            Example: MS says you can't run Vista basic in a VM.

            But how are they going to STOP you? If they can't stop you, are you "entitled" to
            do it, even though it violates the license agreement?

            Same thing here. The "end user agreement" to use the Oracle support site says
            you can't download stuff for products you didn't buy. If Oracle "tried" to prevent
            people from downloading stuff but failed, does that change the equation?