According to Oracle's filing, SAP employees would at times log on to Oracle servers using easy-to-spot fake names like NULL or, simply, User. On other occasions they would key in obviously phony e-mail addresses--including [email protected] yomamma.com--and bogus phone numbers comprised of a single, repeating digit.
Ultimately, Oracle caught on to the unusual volume of requests. It claims in one case that phony IDs were used to access Oracle servers and download "more than 1,800 items per day for four days straight." That's not typical of what a customer with a support problem would do; Oracle says the customer whose logon was used normally executed just 20 downloads a month.
Oracle says an investigation into huge traffic spikes on its Customer Connection servers showed that the logons originated not from computers at the customer's location, but from computers with IP addresses originating from SAP TN's Bryan, Texas, offices.
The case calls attention to a business practice that may prove to be more widespread than it is well known--pretending to be a competitor's customer to glean valuable information from the competitor's support site. A form of pretexting--a practice that received much exposure when Hewlett-Packard investigators used it to obtain phone records to uncover boardroom leaks--it can be done by anyone who has gained a valid customer's name and password to log on to the site.
"Companies do this all the time, quite frankly," says Ed Gaudet, VP of product management at Liquid Machines, a company that makes e-mail and content control products that, in part, are aimed at preventing such intrusions. Oracle's suit alleges that SAP TN downloaded 10,000 items, including support documents, bug fixes, and software patches. If so, that would put it in a different class from a competitor who comes in under a valid user name and downloads one or two items associated with a new product.
Oracle claims SAP used the information to provide support for Oracle applications but doesn't cite specific examples of such direct use. Even if a downloader doesn't use such information in direct support activities, it can have high value, Gaudet says. "The information indicates the weaknesses of a competitor's products--the bug fixes, the workarounds," he says. That kind of information can be used to talk down rival products in sales calls. Also, a pretexter who accesses a support site with specific customer information could find out who's having problems and, thus, who's more likely to switch vendors.
Even with Oracle's claims of economic harm, it's managing to soldier on. Last week it reported that third-quarter profit rose 35% over the year-earlier quarter on 27% higher revenue, as it successfully digests several acquisitions. SAP revenue rose 7%, according to preliminary fourth-quarter results from January, with net income up 29%.
The filing illustrates how difficult it is for third-party support companies to lure customers from application vendors, wrote Merrill Lynch analyst Kash Rangan in a report last week. The suit claims the downloads were made on behalf of 25 to 30 customers. Though there may be more who've signed with SAP TN, it's "likely a small fraction of Oracle's 30,000+ apps customers," Rangan writes, despite prices about half what Oracle charges. So why is Oracle so worked up? Its support gross margins are 85% or more, Rangan said, and those services provide a vital recurring revenue stream.
The lawsuit isn't going to thrill customers of either company. Oracle's security comes out looking less than bulletproof. And SAP must answer sweeping charges leveled against it. Customers like having two well-matched rivals beating each other's brains out in the marketplace. When it's the courtroom, they're less impressed.
Photo by Justin Sullivan/Getty Images