SAP Admits its Division Downloaded Unauthorized Oracle Materials
Whether it amounts to "corporate espionage" or not (most likely not), the case of Oracle v. SAP may have significant ramifications on how the world's leading information providers guard their information systems. In his company's defense this morning, SAP CEO Henning Kagermann admitted to reporters that, while an SAP division did download some material from Oracle inappropriately, the material was for the division's customers and not for SAP customers or SAP.
The problem is one of boundaries: When a division of one company is licensed to provide customer support for the division of another company, how should those companies keep their distance from one another? TomorrowNow is a leased customer support firm for PeopleSoft, J. D. Edwards, and Siebel business software. It's owned by SAP, and PeopleSoft is owned by Oracle. One of TomorrowNow's services is downloading updates for the software it supports, on behalf of the customers of that software's manufacturers.
To do that, service agents need customer passwords to get online - there's no other way for TomorrowNow to download material for them. For the sake of discussion, that's Boundary #1 in this case.
Kagermann was forthcoming in the way a leaky faucet eventually fills a cup of water. Reporters were patient, asking and re-asking the same questions, and with each response getting a few more drips of information.
"TomorrowNow is supporting Oracle-acquired software applications on behalf of customers," Kagermann finally explained. "In order to do so, customers share their passwords with TomorrowNow so that they can download the support material in order to provide the services. This is an accepted business practice in the industry."
So support agents are given the keys to the system, in a sense, but are they the keys to the kingdom? Oracle says yes; SAP says no, because it instituted what Kagermann called a "firewall" between itself and TomorrowNow - supposedly measures that prevent SAP from using the material TomorrowNow learns from, or on behalf of, the users it supports. That's Boundary #2. This firewall procedure, he said, is "properly in place" and works flawlessly.
Except when it doesn't, and as he admitted, it didn't. "In some cases, [procedures] were not followed properly," Kagermann admitted, "and that tells us that people have downloaded support material for some customers they were not allowed to download."
Kagermann did not say what that was, though he was asked repeatedly. Oracle's amended complaint refers to the downloaded material as "software and support materials:" about 1,800 items per day for a four-day period, collected using a single customer's password, it alleges.
Still, even after admitting that unauthorized downloads did occur, and releasing a significant press release to that effect, Kagermann said, "We can say that a number of key allegations made by Oracle and examined by us appear to be unfounded. In particular, we believe that SAP did not access to all the materials downloaded by TomorrowNow. All the support materials...remained in TomorrowNow's separate systems, and did not pass across our firewall to SAP. However, some TomorrowNow activity went beyond what is appropriate and contravened our high standards and business procedures."
The "firewall breach" is only one Oracle claim that Kagermann believes was unfounded; he did not go into detail about others. One outstanding claim raised by Oracle was that TomorrowNow downloaded a tremendous amount of material on behalf of customers who weren't even allowed to use it.
In one instance, Oracle sites that TomorrowNow logged in as customer "Honeywell International" (probably not chosen at random), and proceeded to download material to which neither TomorrowNow nor even Honeywell were entitled.
Kagermann alluded to this at one point: "TomorrowNow is allowed to download support material on behalf of the customer," he said, "and for this purpose use the password of the customer. And TomorrowNow was using the downloads for this customer. That's very important. It was inappropriate, I meant, as far as we could see from our ongoing examinations that, in some cases, they downloaded support material where they were not allowed to download according to the support contract of the customer."
While this does cast some suspicion on TomorrowNow, this also raises some questions for Oracle. Perhaps most obvious among them, if Honeywell wasn't entitled to the material, how could TomorrowNow have even accessed it using Honeywell's password? That's Boundary #3, and nobody's mentioned much about it.
Furthermore, Oracle alleges TomorrowNow downloaded thousands of Oracle product materials using the passwords of former (not current) Oracle clients. If that was true: 1) What was Oracle software doing on PeopleSoft's systems, which were the only ones to which TomorrowNow presumably had access? 2) If they were former Oracle clients, how come their passwords still worked? This points to Boundary #4: the "firewall" between PeopleSoft and Oracle, or the lack of one. If Oracle stated its case accurately, it doesn't.
Oracle, by the way, produces databases it claims are "unbreakable," describing that term in its 2002 promotional literature as representing "ten years of building provably secure databases."
Those points of argument could very well play into SAP's defense. Kagermann did ignore one question, however, regarding whether his company would expect lawsuits from TomorrowNow customers for inappropriate use of their passwords.
This morning, Oracle issued a brief statement which included this: "SAP CEO Henning Kagermann has now admitted to the repeated and illegal downloading of Oracle's intellectual property. Oracle filed suit to discover the magnitude of the illegal downloads and fully understand how SAP used Oracle's intellectual property in its business."
SAP says it will cooperate with a US Dept. of Justice investigation into this matter. In the meantime, it has appointed its own COO, Mark White, to serve at TomorrowNow's executive chairman, to whom the division's CEO will report. The challenge for White will be to restore Kagermann's "firewall," while at the same time increasing oversight over the behavior of its division.