Supplier refusing to decrypt data in our own database. Help!

Supplier refusing to decrypt data in our own database. Help!

Author
Discussion

beanbag

Original Poster:

7,346 posts

240 months

Friday 4th November 2016
quotequote all
I'm trying to resolve something for my wife's family business and I need a little legal guidance.

They have been using a customer database system for their business since the early 90's and it's DOS based meaning it's been very difficult lately to run the IT infrastructure and the business is struggling to move forward.

I am working with a developer to build the system again in a cloud-based format however the original DOS databases containing pretty much all the customer data are encrypted and the original developer (who is being paid a small fortune each year to run the system and doing pretty much zero work in return), is refusing to decrypt the databases and provide them in a readable format.

I have requested he provide all the database tables in CSV format or even just provide the encryption key but he's said no to both.

This means he's pretty much holding us ransom with his software which is costing the business a lot of money.

The data is clearly ours. It contains customer data, payment information and pretty much a ton of things essential to the business.

What laws and options do I have on my side to resolve this?

TooMany2cvs

29,008 posts

125 months

Friday 4th November 2016
quotequote all
beanbag said:
I'm trying to resolve something for my wife's family business and I need a little legal guidance.

They have been using a customer database system for their business since the early 90's and it's DOS based meaning it's been very difficult lately to run the IT infrastructure and the business is struggling to move forward.

I am working with a developer to build the system again in a cloud-based format however the original DOS databases containing pretty much all the customer data are encrypted and the original developer (who is being paid a small fortune each year to run the system and doing pretty much zero work in return), is refusing to decrypt the databases and provide them in a readable format.

I have requested he provide all the database tables in CSV format or even just provide the encryption key but he's said no to both.

This means he's pretty much holding us ransom with his software which is costing the business a lot of money.

The data is clearly ours. It contains customer data, payment information and pretty much a ton of things essential to the business.

What laws and options do I have on my side to resolve this?
I'd be looking at what you can extract via queries to the db, and how that can then be used to rebuild the databases. It's not like the historic information going back 30 years is particularly useful, so just focus on the last decade.

If there's data you can't query, then it's not data you're using anyway.

beanbag

Original Poster:

7,346 posts

240 months

Friday 4th November 2016
quotequote all
TooMany2cvs said:
beanbag said:
I'm trying to resolve something for my wife's family business and I need a little legal guidance.

They have been using a customer database system for their business since the early 90's and it's DOS based meaning it's been very difficult lately to run the IT infrastructure and the business is struggling to move forward.

I am working with a developer to build the system again in a cloud-based format however the original DOS databases containing pretty much all the customer data are encrypted and the original developer (who is being paid a small fortune each year to run the system and doing pretty much zero work in return), is refusing to decrypt the databases and provide them in a readable format.

I have requested he provide all the database tables in CSV format or even just provide the encryption key but he's said no to both.

This means he's pretty much holding us ransom with his software which is costing the business a lot of money.

The data is clearly ours. It contains customer data, payment information and pretty much a ton of things essential to the business.

What laws and options do I have on my side to resolve this?
I'd be looking at what you can extract via queries to the db, and how that can then be used to rebuild the databases. It's not like the historic information going back 30 years is particularly useful, so just focus on the last decade.

If there's data you can't query, then it's not data you're using anyway.
Interestingly, we've been doing this but the application crashes frequently (another reason to dump it), and we only have 4 over-worked staff in the company who manage the admin side of the business so in a week, we barely managed to get a few days worth of data when combing other tasks.

The system is a PMS so handles hotel bookings , customer invoices, reservations, check in/out processes, and a ton more. Under law in Spain, we must have at least 5 years worth of data for tax purposes and ideally a little more. If in just a week, we managed to extract about 3-4 weeks worth of data, it'll take an eternity to complete so this is unfortunately not an option.

I also tried to see if I could automated it in some way, but since it crashes every moment, that wasn't a solution either. I then sent the database files to a couple of very competent developers and they both came telling me it was encrypted. They could probably decrypt it with a brute force over time but that would be costly and potentially very time-consuming.

For now, I've remove access to any of the systems from the original supplier but we have just 2 months before the system locks itself again. I can get around that by not changing the date on the system which is a poor way to handle things so ultimately we just want our data.

From a legal standpoint, where do I stand?

AnotherGuy

819 posts

247 months

Friday 4th November 2016
quotequote all
Early 90's PC database?

It's likely to be dBase, FoxPro or Paradox.

Send the .dbf files (or equivalent) to http://www.pwcrack.com/dbase.shtml

$75 later you'll have the password. These guys are legit and been around a while.

beanbag

Original Poster:

7,346 posts

240 months

Friday 4th November 2016
quotequote all
AnotherGuy said:
Early 90's PC database?

It's likely to be dBase, FoxPro or Paradox.

Send the .dbf files (or equivalent) to http://www.pwcrack.com/dbase.shtml

$75 later you'll have the password. These guys are legit and been around a while.
Cheers! I'll definitely give that a try!

98elise

26,366 posts

160 months

Friday 4th November 2016
quotequote all
How do you access the encrypted data normally? As a last resort can it be screen scraped in some way?

TooMany2cvs

29,008 posts

125 months

Friday 4th November 2016
quotequote all
beanbag said:
From a legal standpoint, where do I stand?
I have no idea, as I can't see your original development contract or the ongoing maintenance contract - nor do I know the Spanish laws on unfair contract terms or intellectual property. I think you're going to need proper paid-for local legal advice if the backdoors don't work - and, quite possibly, if they do and he decides to go after you for breach of contract etc.

The other option is to just run the two systems alongside each other, then - once the minimum legal retention period is up - just switch the old one off.

anonymous-user

53 months

Friday 4th November 2016
quotequote all
You mention Spain. Under what law is the contract with the supplier?

beanbag

Original Poster:

7,346 posts

240 months

Friday 4th November 2016
quotequote all
98elise said:
How do you access the encrypted data normally? As a last resort can it be screen scraped in some way?
That's what I tried to do already, but as I mentioned, the application crashes frequently so it's almost impossible to complete the task properly....

beanbag

Original Poster:

7,346 posts

240 months

Friday 4th November 2016
quotequote all
janesmith1950 said:
You mention Spain. Under what law is the contract with the supplier?
This is another problem. They're struggling to dig up the original paperwork. I believe the system was set-up back in the early 1990's and they can't find the original contract. They have the invoices for the annual billing of the system but there's no legal wording specified within that.

randlemarcus

13,507 posts

230 months

Friday 4th November 2016
quotequote all
I suppose it's too late to tell the developer that you have had notice from the Spanish equivalent of HMRC to show them the last x years of records in softcopy format?

beanbag

Original Poster:

7,346 posts

240 months

Friday 4th November 2016
quotequote all
randlemarcus said:
I suppose it's too late to tell the developer that you have had notice from the Spanish equivalent of HMRC to show them the last x years of records in softcopy format?
Be basically told him we were doing an audit of all our data and needed him to extract all the information into CSV so we could back it up and go through it.

He told us to do it through the system and we responded by telling him we did not want to do it this way as the system was very unstable and made the job difficult to do. I asked him again to either provide us with the encryption key or to extract the data and he said that would not be possible.

Roy the Boy

462 posts

220 months

Friday 4th November 2016
quotequote all
beanbag said:
he said that would not be possible.
Maybe he's lost/doesn't know the encryption key himself and doesn't want to admit it.

Just a thought. smile

plasticpig

12,932 posts

224 months

Friday 4th November 2016
quotequote all
If the data is in Dbase format (.dbf files) then I may be able help you (PM me). Another alternative is to capture all outputs from reports and use report analysis / data extraction tool such as Monarch to rebuild the data.

buggalugs

9,243 posts

236 months

Friday 4th November 2016
quotequote all
You don't know what kind of bizarreness you're going to find once you do get into the db.

Start fresh on a new system and just keep one machine in a corner somewhere with the old crap on it.

randlemarcus

13,507 posts

230 months

Friday 4th November 2016
quotequote all
buggalugs said:
You don't know what kind of bizarreness you're going to find once you do get into the db.

Start fresh on a new system and just keep one machine in a corner somewhere with the old crap on it.
Sounds like the software times out every six months in order to keep the developer in 80's Amiga magazines. Which wont help if the HMRCOle come knocking.


plasticpig

12,932 posts

224 months

Friday 4th November 2016
quotequote all
randlemarcus said:
Sounds like the software times out every six months in order to keep the developer in 80's Amiga magazines. Which wont help if the HMRCOle come knocking.
Which is illegal in the UK but Spain could be a different matter.

rxe

6,700 posts

102 months

Friday 4th November 2016
quotequote all
If the password cracking doesn't work, I would have thought a capable developer would be able to emulate the front end and hoover all the data out. I assume you have the ability via the application to log into the database - you are being prevented from dumping out the schemas and data.

To be honest, you probably don't want the schema, it will be cack - it is more a case of "give me what you think a customer is" and load it into your new system.

As a last resort, use a "robot" to screen scrape it out of hours. We use things like Blueprism to do this (generally in the other direction, loading data into awkward systems) - you won't need anything like as industrial.

budgie smuggler

5,359 posts

158 months

Friday 4th November 2016
quotequote all
plasticpig said:
Which is illegal in the UK
How so?

plasticpig

12,932 posts

224 months

Friday 4th November 2016
quotequote all
budgie smuggler said:
How so?
Time locking software falls foul of the Computer Misuse Act 1990.