Oracle Cries 'Thief'

By Paul McDougall, Charles Babcock

And we thought we'd heard the last of pretexting accusations.

Oracle makes that charge against its archrival, claiming in a civil lawsuit filed last week that SAP employees pretended to be Oracle customers to log on to one of the company's Web sites and copy proprietary technical and customer-support data. Describing SAP's actions as "corporate theft on a grand scale," Oracle claims that SAP gathered the support documentation to provide cut-rate support for Oracle products, then shift those companies to SAP products.

SAP declined to comment beyond saying it would "aggressively defend against the claims made by Oracle."

The case throws fuel on one of the most heated rivalries in all of business technology. It also raises questions about how valuable customer service and support data is and how well it's protected.

The logons of major Oracle customers such as Bear Stearns, Honeywell, Merck, Metro Machine, and SPX allegedly were used to take the documents. Oracle claims that when those logons were used, the companies all had become or were about to become customers of SAP's Oracle support service, known as SAP TN.

The TN stands for TomorrowNow, a provider of PeopleSoft software support services that had 37 employees when SAP acquired it in 2005. SAP touted the company in a "Safe Passage" program aimed at supporting PeopleSoft customers and, it hoped, transitioning them to SAP business software.

Oracle's complaint, filed in U.S. District Court in San Francisco, doesn't use the dry legalese typically found in such documents. Instead, it reads as a broadside at its longtime competitor. That's the tone CEO Larry Ellison has set ever since Oracle acquired PeopleSoft in 2005, pitting Oracle in a one-on-one battle with SAP for enterprise software market share.

The suit notes that questions were raised in 2005 about how SAP TN, even after expanding to 150 employees, could keep up with the bug fixes, patches, regulatory updates, and other manually intensive tasks needed to support the software. "Oracle has now solved this puzzle," the complaint says. "To stave off the mounting competitive threat from Oracle, SAP unlawfully accessed and copied Oracle's software and support materials."


If these customer-support assets are among Oracle's crown jewels, the company didn't keep them under the best lock and key.

In some cases, real customer names were used to access information on products for which those customers had licenses. But in other cases, intruders posing as customers with legitimate logons were able to blow past the security perimeter and access information and code to which the legitimate customer had no license. In other cases, the companies had already switched to SAP TN, the Oracle complaint says, but their logons apparently still were active.

According to Oracle's filing, SAP employees would at times log on to Oracle servers using easy-to-spot fake names like NULL or, simply, User. On other occasions they would key in obviously phony e-mail addresses--including test@test bogus phone numbers comprised of a single, repeating digit.

Ultimately, Oracle caught on to the unusual volume of requests. It claims in one case that phony IDs were used to access Oracle servers and download "more than 1,800 items per day for four days straight." That's not typical of what a customer with a support problem would do; Oracle says the customer whose logon was used normally executed just 20 downloads a month.

Oracle says an investigation into huge traffic spikes on its Customer Connection servers showed that the logons originated not from computers at the customer's location, but from computers with IP addresses originating from SAP TN's Bryan, Texas, offices.

The case calls attention to a business practice that may prove to be more widespread than it is well known--pretending to be a competitor's customer to glean valuable information from the competitor's support site. A form of pretexting--a practice that received much exposure when Hewlett-Packard investigators used it to obtain phone records to uncover boardroom leaks--it can be done by anyone who has gained a valid customer's name and password to log on to the site.

"Companies do this all the time, quite frankly," says Ed Gaudet, VP of product management at Liquid Machines, a company that makes e-mail and content control products that, in part, are aimed at preventing such intrusions. Oracle's suit alleges that SAP TN downloaded 10,000 items, including support documents, bug fixes, and software patches. If so, that would put it in a different class from a competitor who comes in under a valid user name and downloads one or two items associated with a new product.

Oracle claims SAP used the information to provide support for Oracle applications but doesn't cite specific examples of such direct use. Even if a downloader doesn't use such information in direct support activities, it can have high value, Gaudet says. "The information indicates the weaknesses of a competitor's products--the bug fixes, the workarounds," he says. That kind of information can be used to talk down rival products in sales calls. Also, a pretexter who accesses a support site with specific customer information could find out who's having problems and, thus, who's more likely to switch vendors.

Even with Oracle's claims of economic harm, it's managing to soldier on. Last week it reported that third-quarter profit rose 35% over the year-earlier quarter on 27% higher revenue, as it successfully digests several acquisitions. SAP revenue rose 7%, according to preliminary fourth-quarter results from January, with net income up 29%.

The filing illustrates how difficult it is for third-party support companies to lure customers from application vendors, wrote Merrill Lynch analyst Kash Rangan in a report last week. The suit claims the downloads were made on behalf of 25 to 30 customers. Though there may be more who've signed with SAP TN, it's "likely a small fraction of Oracle's 30,000+ apps customers," Rangan writes, despite prices about half what Oracle charges. So why is Oracle so worked up? Its support gross margins are 85% or more, Rangan said, and those services provide a vital recurring revenue stream.

The lawsuit isn't going to thrill customers of either company. Oracle's security comes out looking less than bulletproof. And SAP must answer sweeping charges leveled against it. Customers like having two well-matched rivals beating each other's brains out in the marketplace. When it's the courtroom, they're less impressed.

Photo by Justin Sullivan/Getty Images

Copyright © 2007 CMP Media LLC.