Oracle’s SAP Lawsuit: The ISV Protests Too Much, Methinks

Written by Evan Schuman
March 22nd, 2007

Oracle’s SAP lawsuit accuses SAP of “corporate theft on a grand scale.” So what was stolen? Support material freely available to any of thousands of Oracle customers. These are the super-secret corporate espionage documents that Oracle is screaming about?

The Oracle lawsuit against SAP, although fascinating in its detailed tracking of who took what and when, is so much pure Oracle. This would be like Microsoft suing a small software company and accusing them?with great indignation?of not treating their partners with courtesy and respect.

Based on the full text of the accusation portion of the lawsuit, Oracle certainly seems to make a rock-solid case that tech support documents were downloaded by those without direct authorization. But we need to distinguish between someone hacking their way into a private R&D database and stealing under-development sourcecode and someone looking at documents available t any and all customers, along the lines of?according to Oracle’s own lawsuit filing?”program updates, software updates, bug fixes, patches, custom solutions, and instructional documents across the entire PeopleSoft and JDE family of software products.”

Who is accused of having done these dastardly downloads of instructional documents? Yes, it was SAP, but specifically the TomorrowNow group, which provides third-party support for PeopleSoft and JD Edwards ERP applications, both of which are now owned by Oracle.

The documents in question would likely help this tech support unit better understand Oracle products and thereby be able to better help Oracle’s customers. It’s hard to see how this is injuring Oracle customers.

Assuming the lawsuit’s representations are accurate?which is assuming quite a lot?it seems that one likely scenario of how this happened is that customers migrating away from Oracle and to SAP wanted SAP?and specifically TomorrowNow?to help make the transition easy. In an attempt to help make that happen, they simply gave the SAP people their passwords to the Oracle database.

This would be likely be seen as more of a convenience than some earth-shattering act of corporate espionage, akin to an E-Commerce company giving an outside programmer login credentials to its Web host, so that the programmer could access whatever was needed.

Let’s be fair here. Were the documents proprietary and legally protected? No doubt they were. Did some people at SAP get carried away and do more than was necessary to help those specific customers? If the accusations in the lawsuit are correct, yes, it seems likely they did.

But even examining this case solely from the Oracle perspective based only on the claims that Oracle is making, it’s hard to see this as some monumental case that threatens to cripple Oracle.

Indeed, the claim that the people accessing the data didn’t even try to mask their IP addresses?and it stands to reason than many SAP people certainly would have had the knowledge and the wherewithal to do so?strongly suggests that the downloaders saw little wrong with what they were doing. That’s not the action of a Megabyte Mata Hari, trying to steal code that they’ll sell for millions on the black market. That sounds more like a tech support professional who sees a lot of tech support documents and files that he might have access to later on and should download now, just in case it will help a customer at some later date.

Please don’t get me wrong. SAP and Oracle are both very aggressive rivals and I wouldn’t it past either company to engage in true corporate espionage. But this doesn’t feel like that. It feels like Oracle finding a technicality that it can say “Gotcha!” with.


One Comment | Read Oracle’s SAP Lawsuit: The ISV Protests Too Much, Methinks

  1. JoJo Says:

    This code is not available to anyone but a customer. I prefer to emphasize that it is NOT available to anyone else rather than say only available to customers. I think it brings clarity to the fact that TomorrowNow has no rights to that code.
    What is TomorrowNow’s value proposition here? “We will download support docs from Oracle, add no value or investment ourselves and take 50% of the Support revenue?” That is ridiculous. I can just see the ebay post for TomorrowNow:
    “New, without tags, authentic Oracle support code, in hand, 50% discount. Please visit our webstore for other Oracle code:”


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.