Database and enterprise software firm Oracle filed a lawsuit on Thursday against German application maker SAP claiming that the European firm pilfered an enormous number of documents and software from Oracle's customer-only support systems.

The lawsuit, filed after the close of SAP's European business day, alleged that the German software maker and its subsidiaries used the usernames and passwords of former--and soon-to-be-former--Oracle customers to download more than 10,000 support documents between September 2006 and January 2007. In some cases, the activity appeared as a "systematic pattern of sweeping" Oracle's database just days before a customer's support contract was about to expire, downloading information for products that the customer did not have deployed.

Oracle traced the suspect activity to the Texas-based offices of customer support subsidiary SAP TN (formerly, TomorrowNow), which SAP purchased in January 2005. The company had provided support services for customers of PeopleSoft, an enterprise software maker that Oracle acquired earlier the same month. In its court filing, Oracle charged that SAP TN used the access to Oracle's system to clone its support database and offer discounted services to former Oracle customers.

"In short, to try to 'keep the pressure on Oracle,' SAP has been engaged in a systematic program of unfair, unlawful, and deceptive business practices that continues to this day," Oracle stated in the filing. "Through its legitimate and illegal business practices, SAP has taken Oracle's Software and Support Materials and apparently used them to insinuate itself into Oracle's customer base, and to attempt to convert these customers to SAP software applications."

SAP was still analyzing the claims in the lawsuit and could not comment on the specific allegations, a company spokesperson stated in an e-mail to SecurityFocus.

"We have just been notified of the lawsuit, and have taken note of Oracle's news release and what is on its Web site," said spokesman Steve Bauer. "We are still reviewing the matter, and, until we have a chance to study the allegations, SAP will follow is standard policy of not commenting on pending litigation."

Attacks on information systems for competitive intelligence has increasingly become a problem. In 2005, government and corporate information-security specialists detected a number of targeted attacks aimed at fooling knowledgeable employees. The number of attacks, many appearing to come from China, has only risen in the past 18 months.

Oracle and SAP have had a knock-down rivalry brewing ever since Oracle bought PeopleSoft and became a serious competitor to SAP, said Judith Hurwitz, president of analyst firm Hurwitz & Associates.

"Clearly these guys are going after each other pretty ferociously," Hurwitz said. "For SAP to buy a company to undercut Oracle's maintenance pricing ... It clearly was to get access and knowledge of Oracle's customer base, that is clearly why SAP bought them."

Oracle's lawsuit alleges that the purchase did not deliver enough. The 37-employee SAP TN focused mainly on sales and not on technical development, the filing claims. Instead, the company allegedly used the usernames and passwords of customers that the firm had lured away from Oracle to download a variety of technical materials.

"SAP employees used the log-in IDs of multiple customers, combined with phony user log-in information, to gain access to Oracle's system under false pretexts," Oracle stated in the filing. "Employing these techniques, SAP users effectively swept much of the contents of Oracle's system onto SAP's servers."

In late 2006, Oracle noticed "huge, unexplained spikes" in the number of its customers that had kept searching for more information after receiving the initial results of a search. Moreover, the renewed search attempts occurred within seconds of each other, suggesting that the actions had been automated, not performed by a human.

"Oracle soon discovered that many of these 'customers' had taken massive quantities of Software and Support Materials beyond their license rights, over and over again," the court filing states.

The conclusion caused Oracle to embark on an investigation into what was happening. The company allegedly found that the unauthorized access to its network originated from SAP's computers, not from the customers whose credentials were used. Credentials assigned to electronics maker Honeywell, pharmaceutical giant Merck and industrial technology firm SPX were all used to access Oracle's system, the software company stated.

Oracle's lawsuit repeatedly points to wording in software and service license agreements that stipulate that the customer support material is proprietary and only for use by the firm's customers.

The lawsuit makes eleven claims under the Computer Fraud and Abuse Act, economic espionage laws and regulations against unfair competition. The court filing does not specify what damages or penalties are sought by Oracle.

Five years ago, Microsoft made a commitment to make more secure and reliable products and services, to help protect our customers’ privacy, and to be more transparent and responsive in our business practices.

We call this Trustworthy Computing and it infuses everything we do. Here are some highlights of our activities.

Microsoft has made strides to address spam and phishing issues
Consumers can benefit from our technologies and activities. For instance:

We’re also working with policymakers and industry leaders in the United States to encourage federal laws that establish baseline privacy protections for consumers while still allowing commerce to flourish. And, since privacy threats know no borders, we’re working with governments around the world to make privacy laws as consistent as possible.

Privacy and data protection for businesses
Privacy and data protection are critical issues for businesses and we have been working to address them. For instance:

Security remains a critical part of Trustworthy Computing
To really help solve security issues, it’s important that the computer industry and others work together. Collaboratively, we can locate vulnerabilities, address issues as they arise, and establish best practices. Microsoft works and partners with these organizations, among others:

In the Microsoft workplace, we infused our software development process with a Security Development Lifecycle (SDL), a development practice that helps ensure our developers and engineers develop secure technologies. Windows Vista is the first Windows operating system built end-to-end under the SDL and, as such, will be the most secure and privacy-enhancing operating system Microsoft has ever shipped.

We’re also working to educate consumers about security and privacy issues, and provide new tools to help them maintain and secure their computers. Some examples include:

Our products are more reliable now than they have ever been
Microsoft has worked to reduce hangs, crashes, and reboots with all of our products, and the 2007 Microsoft Office system is one example.

This new version will:

The 2007 Microsoft Office system also improves the document-recovery features, so that people can get back to work quickly with minimal data loss.

Looking ahead
Trustworthy Computing has to do more than address today’s challenges – it must help ensure that the innovations people will rely on tomorrow are designed from the outset to be reliable and secure, respectful of their privacy, and supported by trustworthy and responsive companies.

For more information about Trustworthy Computing, please visit www.microsoft.com/twc.