Oracle sues SAP; alleges 'corporate theft on a grand scale'

The war between Oracle and SAP is about to move beyond enterprise applications to the courtroom.

Oracle said Wednesday that it has sued SAP "about corporate theft on a grand scale" seeking undisclosed damages. Oracle also argues that the theft formed the basis of SAP's "Safe Passage" program, which is designed to entice Oracle customers to switch to SAP. SAP won't comment until it has reviewed the complaint.

"We have just been notified of the lawsuit, and have taken note of the Oracle press release," said an SAP spokesman. "We are still reviewing the matter, and, until we have a chance to study the allegations, SAP will follow is standard policy of not commenting on pending litigation." 

According to the complaint, Oracle discovered in November "heavy download activity on Oracle's customer support Web site for PeopleSoft and J.D. Edwards products. The site contained information on program and software updates, patches and instructions. Oracle, however, alleges that software and technical support materials, which have limited download rights, were downloaded en masse from an IP address originating in Bryan, Texas, home of SAP's TomorrowNow (SAP TN) subsidiary, which offers support to PeopleSoft and J.D. Edwards customers.

"Oracle’s server logs have recorded access through this same IP address by computers labeled with SAP identifiers using SAP IP addresses," said Oracle, which noted that customers didn't partake in downloading. The lawsuit is just the latest volley in an ongoing war between SAP and Oracle.

The two parties increasingly take jabs at each other. And the fight has increasingly become one of collecting support and maintenance fees from technology buyers. Indeed, SAP bought TomorrowNow in 2005 partially as a way to convince Oracle customers to switch to SAP.

In the complaint Oracle said:

"Oracle brings this lawsuit after discovering that SAP is engaged in systematic, illegal access to – and taking from – Oracle’s computerized customer support systems. Through this scheme, SAP has stolen thousands of proprietary, copyrighted software products and other confidential materials that Oracle developed to service its own support customers. SAP gained repeated and unauthorized access, in many cases by use of pretextual customer log-in credentials, to Oracle’s proprietary, password-protected customer support website. From that website, SAP has copied and swept thousands of Oracle software products and other proprietary and confidential materials onto its own servers. As a result, SAP has compiled an illegal library of Oracle’s copyrighted software code and other materials. This storehouse of stolen Oracle intellectual property enables SAP to offer cut rate support services to customers who use Oracle software, and to attempt to lure them to SAP’s applications software platform and away from Oracle’s."

Oracle is seeking "to stop SAP’s illegal intrusions and theft, to prevent SAP from using the materials it has illegally acquired to compete with Oracle, and to recover damages and attorneys’ fees."

Oracle is alleging that SAP used the company's support documents to undercut pricing in an attempt to gain customers. Oracle claims it saw a spike in downloads in November and December of 2006 as SAP employees downloaded information.
From the complaint:

"SAP employees using the log-in credentials of Oracle customers with expired or soon-to-expire support rights had, in a matter of a few days or less, accessed and copied thousands of individual Software and Support Materials. For a significant number of these mass downloads, the users lacked any contractual right even to access, let alone copy, the Software and Support Materials. The downloads spanned every library in the Customer Connection support website. For example, using one customer’s credentials, SAP suddenly downloaded an average of over 1,800 items per day for four days straight (compared to that customer’s normal downloads averaging 20 per month). Other purported customers hit the Oracle site and harvested Software and Support Materials after they had cancelled all support with Oracle in favor of SAP TN. Moreover, these mass downloads captured Software and Support Materials that were clearly of no use to the “customers” in whose names they were taken. Indeed, the materials copied not only related to unlicensed products, but to entire Oracle product families that the customers had not licensed."

Apparently, the downloading continued into the new year. In January 2007, Oracle claims that SAP logged in as Honeywell International and accessed the company's support materials "in virtually every product library in every line of business."
Oracle continues:

"This copying went well beyond the products that Honeywell had licensed and to which it had authorized access. In other examples, users from SAP logged in using the credentials of recently departed customers, like Metro Machine Corp., and downloaded Software and Support Materials even after the customer had dropped its support rights with Oracle. Oracle has found many examples of similar activity. Across its entire library of Software and Support Materials in Customer Connection, Oracle to date has identified more than 10,000 unauthorized downloads of Software and Support Materials relating to hundreds of different software programs."

The techniques allegedly deployed by SAP's Tomorrow Now unit were also detailed.

"SAP employees used the log-in IDs of multiple customers, combined with phony user log-in information, to gain access to Oracle’s system under false pretexts. Employing these techniques, SAP users effectively swept much of the contents of Oracle’s system onto SAP’s servers. These “customer users” supplied user information (such as user name, email address, and phone number) that did not match the customer at all. In some cases, this user information did not match anything: it was fake. For example, some users logged in with the user names of “xx” “ss” “User” and “NULL.” Others used phony email addresses like “test@testyomama.com” and fake phone numbers such as “7777777777” and “123 456 7897.” In other cases, SAP blended log-in information from multiple customers with fake information. For example, one user name connected to an SAP IP address appears to have logged in using the credentials of seven different customers in a span of just 15 days – all from SAP computers in Bryan, Texas."

The common thread in these intrusions according to Oracle: All of the accounts accessed were about Oracle customers that became or were about to become SAP TomorrowNow customers.

"In the course of this investigation, Oracle discovered a pattern. Frequently, in the month before a customer’s Oracle support expired, a user purporting to be that customer, employing the customer’s log-in credentials, would access Oracle’s system and download large quantities of Software and Support Materials, including dozens, hundreds, or thousands of products beyond the scope of the specific customer’s licensed products and permitted access. Some of these apparent customer users even downloaded materials after their contractual support rights had expired."

"Oracle’s support servers have even received hits from URL addresses in the course of these unlawful downloads with SAP TN directly in the name (e.g. http://hqitpc01.tomorrownow.com). Indeed, for many of these downloads, Oracle noticed that SAP TN did not even bother to change the false user information from customer to customer when it logged in."

Oracle goes on to document the war between the database and applications giant and SAP for customers. The customer accounts allegedly accessed read like a who's who of corporate America.

Oracle has uncovered unlicensed downloads linked to SAP TN on behalf of numerous customers, including without limitation, Abbott Laboratories, Abitibi-Consolidated, Inc., Bear, Stearns & Co., Berri Limited, Border Foods, Caterpillar Elphinstone,Distribution & Auto Service, Fuelserv Limited, Grupo Costamex, Helzberg Diamonds, HerbertWaldman, Honeywell International, Interbrew UK, Laird Plastics, Merck & Co., Metro Machine Corp., Mortice Kern Systems, Inc., National Manufacturing, NGC Management Limited, OCE Technologies, B.V., Ronis, S.A., Smithfield Foods, SPX Corporation, Stora Enso, Texas Association of School Boards, VSM Group AB, and Yazaki North America.

If this lawsuit goes to trial, it will be interesting for another reason: Details about the cutthroat nature of the enterprise applications business, pricing practices, customer testimony and corporate espionage precedent are likely to emerge.