Oracle sues SAP for hacking, data theft

Oracle sues SAP for hacking, data theft
Database and enterprise software firm Oracle filed a lawsuit on Thursday against German application maker SAP claiming that the European firm pilfered an enormous number of documents and software from Oracle’s customer-only support systems.
“ SAP employees used the log-in IDs of multiple customers, combined with phony user log-in information, to gain access to Oracle’s system under false pretexts. Employing these techniques, SAP users effectively swept much of the contents of Oracle’s system onto SAP’s servers. ”
Claims from Oracle’s lawsuit against rival SAP
The lawsuit, filed after the close of SAP’s European business day, alleged that the German software maker and its subsidiaries used the usernames and passwords of former–and soon-to-be-former–Oracle customers to download more than 10,000 support documents between September 2006 and January 2007. In some cases, the activity appeared as a “systematic pattern of sweeping” Oracle’s database just days before a customer’s support contract was about to expire, downloading information for products that the customer did not have deployed.
Oracle traced the suspect activity to the Texas-based offices of customer support subsidiary SAP TN (formerly, TomorrowNow), which SAP purchased in January 2005. The company had provided support services for customers of PeopleSoft, an enterprise software maker that Oracle acquired earlier the same month. In its court filing, Oracle charged that SAP TN used the access to Oracle’s system to clone its support database and offer discounted services to former Oracle customers.
“In short, to try to ‘keep the pressure on Oracle,’ SAP has been engaged in a systematic program of unfair, unlawful, and deceptive business practices that continues to this day,” Oracle stated in the filing. “Through its legitimate and illegal business practices, SAP has taken Oracle’s Software and Support Materials and apparently used them to insinuate itself into Oracle’s customer base, and to attempt to convert these customers to SAP software applications.”
SAP was still analyzing the claims in the lawsuit and could not comment on the specific allegations, a company spokesperson stated in an e-mail to SecurityFocus.
“We have just been notified of the lawsuit, and have taken note of Oracle’s news release and what is on its Web site,” said spokesman Steve Bauer. “We are still reviewing the matter, and, until we have a chance to study the allegations, SAP will follow is standard policy of not commenting on pending litigation.”
Attacks on information systems for competitive intelligence has increasingly become a problem. In 2005, government and Oracle and SAP have had a knock-down rivalry brewing ever since Oracle bought PeopleSoft and became a serious competitor to SAP, said Judith Hurwitz, president of analyst firm Hurwitz & Associates.
“Clearly these guys are going after each other pretty ferociously,” Hurwitz said. “For SAP to buy a company to undercut Oracle’s maintenance pricing … It clearly was to get access and knowledge of Oracle’s customer base, that is clearly why SAP bought them.”
Oracle’s lawsuit alleges that the purchase did not deliver enough. The 37-employee SAP TN focused mainly on sales and not on technical development, the filing claims. Instead, the company allegedly used the usernames and passwords of customers that the firm had lured away from Oracle to download a variety of technical materials.
“SAP employees used the log-in IDs of multiple customers, combined with phony user log-in information, to gain access to Oracle’s system under false pretexts,” Oracle stated in the filing. “Employing these techniques, SAP users effectively swept much of the contents of Oracle’s system onto SAP’s servers.”
In late 2006, Oracle noticed “huge, unexplained spikes” in the number of its customers that had kept searching for more information after receiving the initial results of a search. Moreover, the renewed search attempts occurred within seconds of each other, suggesting that the actions had been automated, not performed by a human.
“Oracle soon discovered that many of these ‘customers’ had taken massive quantities of Software and Support Materials beyond their license rights, over and over again,” the court filing states.
The conclusion caused Oracle to embark on an investigation into what was happening. The company allegedly found that the unauthorized access to its network originated from SAP’s computers, not from the customers whose credentials were used. Credentials assigned to electronics maker Honeywell, pharmaceutical giant Merck and industrial technology firm SPX were all used to access Oracle’s system, the software company stated.
Oracle’s lawsuit repeatedly points to wording in software and service license agreements that stipulate that the customer support material is proprietary and only for use by the firm’s customers.
The lawsuit makes eleven claims under the Computer Fraud and Abuse Act, economic espionage laws and regulations against unfair competition. The court filing does not specify what damages or penalties are sought by Oracle.First of all, I do not see how this is related to “hacking”. Using a client’s login details and creating a dummy user is not the epitome of penetration testing art. Now as far as I can tell SAP is not a dirt-poor, cheap company operating from a ghetto basement using a stolen WiFi link. Being one of the largest software corporations, surely they can afford to buy an Oracle solution or two and then peruse the related documentation at will (or perhaps take it even further and reverse engineer the hell out of competitor’s programs), hire and debrief a couple of Sr Engineers (human assets were always a crucial part of intelligence) and whatnot, being “sleazy” but staying well within the law. Using soon-to-be-former Oracle customer accounts and then downloading documentation directly into their servers? Come on, there are a ton of ways to anonymize traffic and since they are committing “hacking” (the article’s wording, not mine, mind you), they must know that if they get caught red-handed there are many things at stake (including valuable corporate image). My assumptions are that there is perhaps a rogue element within SAP, as from a senior managerial perspective, this move is suicide. The fact that this appears to be a low tech level attack (once again, it is not like SAP cannot afford a highly technical yet ammoral person), stengthens this motion further. Perhaps a couple of bored techies under the command of a middle level manager at best? It just does not make sense. Anyway, this will be a subject that I will keep my eyes on.

Leave reply

Back to Top