.

Tuesday, November 12, 2019

Computer Fraud – an Analysis on Oracle Corp vs. Sap Ag

Information system has been playing a grave essential role in daily business activities. Over the past decade, the detection rate of computer crimes concerning information system attacks has risen sharply. According to Kunz and Wilson (2004), reported computer crimes have been septupled from 2000 to 2003 and leads to inestimable economic loss. Therefore, themes on information security, especially the prevention of computer fraud, have attracted increasingly attentions (Romney and Steinbart, 2009). However, it seems that perpetrators can always find new techniques to theft invaluable business secrets stored, processed or protected by those information systems. Moreover, some abuse techniques have been used in economic espionage, which causes a yearly loss of $250 billion (ibid). Oracle Corp vs. SAP AG could be one of the relating cases occurred in the recent 2007 and is not yet closed till present. This essay will firstly introduce the Case. Then by using Fraud Triangle, analyze the reason of SAP’s commitment of computer fraud and data theft. Finally, suggestions on how to improve the security of company’s information system will be addressed with some reflections of the Case. It has been reported that the world’s software giant SAP AG was sued by its largest competitor, Oracle Corporation, for computer fraud and data theft in March 2007 (Anon, 2010). In the Complaint, Oracle Corporation (2007) stated that in November 2006, unusual heavy download activities were spotted on Customer Connection, a website Oracle used to serve its customers. The uncovered access originated from an IP address in one of SAP’s braches with log-in IDs of PeopleSoft and J. D. Edwards customers. It is discovered later that TomorrowNow and SAP TN, two SAP subsidiaries, committed a series of unauthorized access to Oracle’s customer service system and more than 10,000 illegal download activities. Mass of important materials, including copyrighted software codes and confidential documents was theft. In this way, SAP was capable of establishing a service library for PeopleSoft and J. D. Edwards products, and launched a marketing campaign to snatch Oracle’s customers. The fraud resulted in Oracle’s 120 copyrights infringed and posed the threats of losing 358 customers (Kawamoto, 2007). On 24 November 2010, the U. S. Federal District Court for Northern California announced that Oracle won the Case with SAP liable for $1. 3 billion compensation. As Slappendel (2010) points out, this is the largest amount ever awarded in copyright infringement cases. The core reason may lies that the verdict is based upon the fair market value of the licenses for utilizing those resources instead of Oracle’s profit loss. After the verdict, SAP’s stock price has been falling significantly and TomorrowNow had to be shut down (Anon, 2011; Team, 2010). Although SAP accepted the liability and apologized for its inappropriate behavior, the company has been arguing that the penalty was contrary to the reality of the damage caused by the fraud (Margan, 2011). It is also reported that SAP has filed motions to the Court and therefore SAP’s computer fraud case does not seem to end at present. The action of data theft has brought unnecessary troubles to both SAP and Oracle. In order to prevent computer fraud effectively, it is essential to fully examine the reason of SAP’s behavior. Fraud Triangle will be used as an analysis tool. It is estimated by Romney and Steinbart (2009) that Fraud Triangle consists of the three normal conditions for fraud to occur: pressures, opportunities and rationalizations. Figure 1 shown below is a brief summary of Fraud Triangle in the Case. 5. Homely meals in software industry FIGURE 1 FRAUD TRIANGLE OF SAP Pressure Opportunity Rationalization 2. Oracle’s insufficient security management 4. Theft by other companies (i. e. Siebel Systems) before 1. Financial – fierce competition in the market 3. Few evidence – may not be spotted Firstly, SAP is probably under the severe pressure of maintaining the top one throne in the software market. During the last decade, competition between Oracle and SAP has greatly increased and the rivalry has developed into a feud. Particularly in 2004, Oracle began a series of acquisitions, aiming at increasing the share of enterprise applications market, where SAP owned the leadership (PeopleSoft, 2011). After realizing the seriousness, SAP fighted back by offering special discounts to woo customers, and thus a cruel price battle initiated. However, the strategy did not seem to rescue much, SAP’s market share remains downward sloping (Team, 2010). Currently, Oracle and SAP are vying for the third-party enterprise software support and maintenance market. The enormous pressure of winning may contribute to the commitment of computer fraud, especially for spying the business secrets of the largest competitor. The following two external conditions may possibly be linked to SAP’s unwise actions: Oracle’s insufficient security management and an opportunity to conceal the fraud. Oracle has provided the Customer Connection as a supplementary of its service to the customers. However, the semi-open system, which stores countless precious information, does not appear to be equipped with superior security management techniques. A huge defect exists that allows easy access to resources supposed to be protected from outsiders. In terms of the flaw, Oracle may be partially liable of its loss. Even though Oracle’s detection of abnormal access is relatively sensitive, it could not take a step ahead of the crime. Besides, Oracle’s dependence on service website offers the probability to conceal fraud, since comparably less evidence would be left for detection. With technology improvement, computer fraud may become far more difficult to spot in the future (The National Fraud Center, Inc. , 2000). Moreover, the experience of being a casualty of computer crimes might have lifted SAP’s rationalization of being a perpetrator. It is recorded that in 1999, SAP filed a lawsuit against Siebel Systems and claimed of being a victim of the so-called White Collar Crime (Kawamoto, 2007). Additionally, it may be reasonable to recognize the fact that most people in software industries regard the occurrence of computer fraud as homely meals, because almost all businesses in this market have grabbed some most advanced computer techniques, together with some abuse techniques obviously. As a result, SAP’s fraud behavior may not be that severe in the eyes of the decision makers. Hence, accelerate the germination of computer crimes. After fully assessment of why SAP may err, suggestions on how to improve the security of enterprise’s information system will be addressed with reflections of the Case. In the perspective of prevention, several control methods could be considered to raise the security capability of the enterprise’s information systems. First of all, persuade or enforce all employees, even the customers, to use strong password to access to company’s database or service websites (Standler, 2007). Requirement of password changes at regular time intervals would be necessary to prevent some former employees of customers’ company from entering the system, which may exactly Oracle needs. Secondly, restrict physical and remote access to system resources unless the both the log-in ID and IP address are authorized (Backhouse and Dhillon, 1995). Thirdly, safeguard and double encrypt all data and programs. For example, materials on the Customer Connection could be double encrypted so that without further encoding, the downloaded materials would remain useless for non-employees or non-customers. Besides, techniques such as anti-virus software and firewall could to some extent protect the system from worms and viruses attack. Although using the above prevention method could avoid some dispensable loss, perpetrators penetrate everywhere (Romney and Steinbart, 2009). Therefore, an efficient detection system should be ready for any possible incidences. The establishment of a fraud hotline is recommended, which contains the employment of computer security officers, consultants and forensic specialists. The control system will be engaged in monitoring all malicious actions and reporting back as soon as possible. In the Case, Oracle took advantage of its superior detection system and made SAP’s fraud evidence traceable and suppressible (Oracle Corporation, 2007). Despite prevention and detection, there are other preparations could be made ahead of the arrival of any disasters with the intention of reducing the loss caused by computer fraud (Kunz and Wilson, 2004). These routines mainly concern insurance application, recovery plans constitution, material back-up within the whole information system. Furthermore, timely crime reporting to the government crime center and effectively legislative tool using might be helpful for retrieving fairly compensations from perpetrators, as it has been done by Oracle Corporation in the Case. Some ERP market analysts even suspect that the Lawsuit could be a sort of Oracle’s strategy to decrease the competition in the third-party enterprise software maintenance and support market. Whatever the original purpose is, Oracle has achieved benefit from winning the Lawsuit for the current period. To conclude, SAP’s situation has satisfied all of the three conditions presented in Fraud Triangle, some of which heavily depend on industrial environment as well as the design of Oracle’s information system. Thus, objectively, SAP may not liable for all the censure, though it really has been occupied in illicit competition using computer fraud. Oracle could be considered partially responsible for its loss and the sentenced $1. 3 billion seems somewhat too cruel for SAP to bear. Although some experts may argue that the breach of intellectual property is unforgivable culpable negligence, it looks possible for the Court to adjust the amount of penalty towards a more realistic number. Since the next round hearings will not start until July 2011, all the outcomes remain unpredictable (Margan, 2011). It is undeniable that, however, computer fraud could bring about huge losses for the entire society, especially when it is used in economic espionage. In the speeding advancing information century, nearly all of the impossible could be made possible. Consequently, it seems that only the creation of a healthy competition environment, emphasis on business ethics and proper education may aid in bringing down the upward climbing computer crime rate. REFERENCE Anon. (2007) SAP-We Will Aggressively Defend Against Oracle‘s Claims [online]. Ziff Davis Media, United Press International. Available at: [30 April 2011] Anon. (2010) Oracle Awarded $1. 3bn In SAP Data Theft Case [online] 24 November. BBC News. Available at: [28 April 2011] Anon. (2011) SAP Posts Sharp Profit Drop Due To Oracle Lawsuit [online] 26 January. Available at: [29 April 2011] Backhouse,J. and Dhillon,G. (1995) Managing Computer Crime – A Research Outlook [online]. Computer and Security: 14(1995) 645-651. A vailable at: [29 April 2011] Granick,J. S. (n. d. ) Faking It: Calculating Loss In Computer Crime Sentencing [online]. Available at: [1 May 2011] Kawamoto,D. (2007) Oracle Sues SAP On Spying Charges [online] 22 March. CNET News. Available at: [28 April 2011] Kunz,M and Wilson,P. (2004) Computer Crime And Computer Fraud [online]. Available at: [1 May 2011] Margan,T. P. (2011) Oracle, SAP Still Going At It Over TomorrowNow [online] 28 February. Available at: [29 April 2011] Niccolai,J. (2010) SAP: Court Lops $500M Off Oracle’s Potential Damages [online] November. IDG News. Available at: [1 May 2011] Oracle Corporation (2007) Oracle Vs. SAP Lawsuit Complaint [online]. Available at: [28 April 2011] Panorama Consulting Group. (2010) Clash Of The Titans: An Independent Comparison Of SAP Vs. Oracle [online]. Available at: [10 April 2011] PeopleSoft (2011) Oracle vs. SAP [online] 1 May. Available at: [1 May 2011] Romney,M. B. and Steinbart,P. J. 2009) Accounting Information Systems, 11th Ed. Pearson Prentice Hall. Shaw,E. et al. (n. d. ) The Insider Threat To Information Systems: The Psychology Of The Dangerous Insider [online]. Security Awareness Bulletin: No. 2-98. Available at: [29 April 2011] Slappendel,S. (2010) Oracle v. SAP: Highest Damages Awarded For A Copyright Infringement Lawsuit [online]. Available at: [28 April 2011] Standler,R. B. (2007) Tips For Avoiding Computer Crime [online] 25 November. Available at: [29 April 2011] Team,T. (2010) SAP-Oracle Lawsuit Could Weigh On SAP Market Share, Stock Price [online] 14 December. Available at: [29 April 2011] The National Fraud Center, Inc. (2000) The Growing Global Threat Of Economic And Cyber Crime [online] December. Available at: [1 May 2011] APPENDIX: A COPY OF THE NEWS REPORT Oracle awarded $1. 3bn in SAP data theft case 24 November 2010 Last updated at 07:32 GMT Oracle chief executive Larry Ellison testified during the case European software giant SAP has been ordered by a Californian court to pay US rival Oracle $1. 3bn (? 820m) after losing a data theft case. The case revolved around customer-support documents and software stolen by SAP's subsidiary TomorrowNow. Oracle alleged that the German company intended to use the data to poach the 358 customers involved, and demanded $1. 65bn compensation. SAP had claimed it owed only $40m, but the jury decided in Oracle's favour. SAP said it was disappointed with the jury's decision and would look to challenge the verdict. [We will] pursue all available options, including post-trial motions and appeal if necessary,† it said in a statement. It did, however, reiterate that it had made a mistake: â€Å"We regret the actions of TomorrowNow, we have accepted liability, and have been willing to fairly compensate Oracle†. ‘Big dreams' Oracle co-president Safra Catz expressed her satisfa ction with the verdict: â€Å"For more than three years, SAP stole thousands of copies of Oracle software and then resold that software and related services to Oracle's own customers. â€Å"The trial made it clear that SAP's most senior executives

No comments:

Post a Comment