Supplier refusing to decrypt data in our own database. Help!
Discussion
I'm trying to resolve something for my wife's family business and I need a little legal guidance.
They have been using a customer database system for their business since the early 90's and it's DOS based meaning it's been very difficult lately to run the IT infrastructure and the business is struggling to move forward.
I am working with a developer to build the system again in a cloud-based format however the original DOS databases containing pretty much all the customer data are encrypted and the original developer (who is being paid a small fortune each year to run the system and doing pretty much zero work in return), is refusing to decrypt the databases and provide them in a readable format.
I have requested he provide all the database tables in CSV format or even just provide the encryption key but he's said no to both.
This means he's pretty much holding us ransom with his software which is costing the business a lot of money.
The data is clearly ours. It contains customer data, payment information and pretty much a ton of things essential to the business.
What laws and options do I have on my side to resolve this?
They have been using a customer database system for their business since the early 90's and it's DOS based meaning it's been very difficult lately to run the IT infrastructure and the business is struggling to move forward.
I am working with a developer to build the system again in a cloud-based format however the original DOS databases containing pretty much all the customer data are encrypted and the original developer (who is being paid a small fortune each year to run the system and doing pretty much zero work in return), is refusing to decrypt the databases and provide them in a readable format.
I have requested he provide all the database tables in CSV format or even just provide the encryption key but he's said no to both.
This means he's pretty much holding us ransom with his software which is costing the business a lot of money.
The data is clearly ours. It contains customer data, payment information and pretty much a ton of things essential to the business.
What laws and options do I have on my side to resolve this?
TooMany2cvs said:
beanbag said:
I'm trying to resolve something for my wife's family business and I need a little legal guidance.
They have been using a customer database system for their business since the early 90's and it's DOS based meaning it's been very difficult lately to run the IT infrastructure and the business is struggling to move forward.
I am working with a developer to build the system again in a cloud-based format however the original DOS databases containing pretty much all the customer data are encrypted and the original developer (who is being paid a small fortune each year to run the system and doing pretty much zero work in return), is refusing to decrypt the databases and provide them in a readable format.
I have requested he provide all the database tables in CSV format or even just provide the encryption key but he's said no to both.
This means he's pretty much holding us ransom with his software which is costing the business a lot of money.
The data is clearly ours. It contains customer data, payment information and pretty much a ton of things essential to the business.
What laws and options do I have on my side to resolve this?
I'd be looking at what you can extract via queries to the db, and how that can then be used to rebuild the databases. It's not like the historic information going back 30 years is particularly useful, so just focus on the last decade.They have been using a customer database system for their business since the early 90's and it's DOS based meaning it's been very difficult lately to run the IT infrastructure and the business is struggling to move forward.
I am working with a developer to build the system again in a cloud-based format however the original DOS databases containing pretty much all the customer data are encrypted and the original developer (who is being paid a small fortune each year to run the system and doing pretty much zero work in return), is refusing to decrypt the databases and provide them in a readable format.
I have requested he provide all the database tables in CSV format or even just provide the encryption key but he's said no to both.
This means he's pretty much holding us ransom with his software which is costing the business a lot of money.
The data is clearly ours. It contains customer data, payment information and pretty much a ton of things essential to the business.
What laws and options do I have on my side to resolve this?
If there's data you can't query, then it's not data you're using anyway.
The system is a PMS so handles hotel bookings , customer invoices, reservations, check in/out processes, and a ton more. Under law in Spain, we must have at least 5 years worth of data for tax purposes and ideally a little more. If in just a week, we managed to extract about 3-4 weeks worth of data, it'll take an eternity to complete so this is unfortunately not an option.
I also tried to see if I could automated it in some way, but since it crashes every moment, that wasn't a solution either. I then sent the database files to a couple of very competent developers and they both came telling me it was encrypted. They could probably decrypt it with a brute force over time but that would be costly and potentially very time-consuming.
For now, I've remove access to any of the systems from the original supplier but we have just 2 months before the system locks itself again. I can get around that by not changing the date on the system which is a poor way to handle things so ultimately we just want our data.
From a legal standpoint, where do I stand?
AnotherGuy said:
Early 90's PC database?
It's likely to be dBase, FoxPro or Paradox.
Send the .dbf files (or equivalent) to http://www.pwcrack.com/dbase.shtml
$75 later you'll have the password. These guys are legit and been around a while.
Cheers! I'll definitely give that a try!It's likely to be dBase, FoxPro or Paradox.
Send the .dbf files (or equivalent) to http://www.pwcrack.com/dbase.shtml
$75 later you'll have the password. These guys are legit and been around a while.
janesmith1950 said:
You mention Spain. Under what law is the contract with the supplier?
This is another problem. They're struggling to dig up the original paperwork. I believe the system was set-up back in the early 1990's and they can't find the original contract. They have the invoices for the annual billing of the system but there's no legal wording specified within that.randlemarcus said:
I suppose it's too late to tell the developer that you have had notice from the Spanish equivalent of HMRC to show them the last x years of records in softcopy format?
Be basically told him we were doing an audit of all our data and needed him to extract all the information into CSV so we could back it up and go through it.He told us to do it through the system and we responded by telling him we did not want to do it this way as the system was very unstable and made the job difficult to do. I asked him again to either provide us with the encryption key or to extract the data and he said that would not be possible.
So, I've been feverishly working away getting this to work so apologies for not replying to some of the comments.
I spent quite a bit of time trying out a number of DB formats but none seemed to understand the files I had and once again after talking to my friend he agreed the format was very unusual. In short, I've no idea which system this developer used.
However, as a spotty teen, I used to play a lot in DOS and I remembered back in the day, executable strings were a way to unlock a lot of features in apps and lo and behold, "/help", revealed a lot of interesting options including an "admin" option.
By using this string, it enabled an export data option and I've been able to export all the data to a CSV ASCII file. It's not perfect as many of the special characters are now buggered up but there are a number of other options to choose I will give those a try as well.
However, after exporting all the data, I was able to import it into a MySQL database. It's not at all normalised and has a ton of repeat data but it's perfectly usable. Interestingly, the export files have no primary keys on any of the records. Booking records were simply matched to the customer account number but there was no way to look up a specific booking ID. The staff had to look up an owner and check through all the bookings. The point is I have five tables of data. None of which is normalised and there's no primary key for any record other than the account ID in the client table.
What's more worrying is the fact that none of the credit cards are hashed, so that will be one of the first things I do too....in short, it's very shoddy and very shocking.....
Anyway, I appreciate all your help. I haven't bothered telling the original supplier I have the data and don't plan to either.
I now need to work on getting a new system built from scratch to manage the business....
Once again; Thanks all for your help!
I spent quite a bit of time trying out a number of DB formats but none seemed to understand the files I had and once again after talking to my friend he agreed the format was very unusual. In short, I've no idea which system this developer used.
However, as a spotty teen, I used to play a lot in DOS and I remembered back in the day, executable strings were a way to unlock a lot of features in apps and lo and behold, "/help", revealed a lot of interesting options including an "admin" option.
By using this string, it enabled an export data option and I've been able to export all the data to a CSV ASCII file. It's not perfect as many of the special characters are now buggered up but there are a number of other options to choose I will give those a try as well.
However, after exporting all the data, I was able to import it into a MySQL database. It's not at all normalised and has a ton of repeat data but it's perfectly usable. Interestingly, the export files have no primary keys on any of the records. Booking records were simply matched to the customer account number but there was no way to look up a specific booking ID. The staff had to look up an owner and check through all the bookings. The point is I have five tables of data. None of which is normalised and there's no primary key for any record other than the account ID in the client table.
What's more worrying is the fact that none of the credit cards are hashed, so that will be one of the first things I do too....in short, it's very shoddy and very shocking.....
Anyway, I appreciate all your help. I haven't bothered telling the original supplier I have the data and don't plan to either.
I now need to work on getting a new system built from scratch to manage the business....
Once again; Thanks all for your help!
I appreciate what many of you are saying but we've looking into 3rd party solutions. There aren't many options and we don't want what they have to offer for the following reason:
- Price. The resort is a mature timeshare complex so it's not just holiday rentals. The moment you add timeshare to the equation, things get expensive. We are a very small family business. 9 employees (4 of them cleaners) and just under 40 apartments. The minimum cost is well over $10k for the first year, and then over $5k per year thereafter. In other words, it would push up the IT budget by triple which is unaffordable. (All the 3rd party solutions we contacted start with products that can support 100 units or more. Since we're just 40% of that, we end up paying more and none will negotiate on price).
- Complexity. The card data will be hashed and only the company administrator will have access to the private key. Under Spanish law, the administrator is allowed access to card data and is ultimately responsible for it. No employee will have access to real card data (unless they are entering it manually which they must do). Most hotels will not do this. Next time you check in to a hotel, (especially abroad), have a look at the number of times they photocopy your passport / license and leave your booking.com reservation letter available on the desk. It'll have your full payment details (card number and all), on display.
- API integration. Most suppliers will offer API integration with booking.com or expedia, etc, etc...but not all so you end up having to choose. We want to integrate all 3rd parties that we work with, plus this would mean no employee would ever have to touch a credit card number (unless it's a reception or phone booking).
- Finally, coming back to the price, if you tie yourself into a product it costs a fortune to leave. Set-up costs, training, integration and you never own the software as it's all cloud based.
Anyway.....we're well into development already so it's all good....
- Price. The resort is a mature timeshare complex so it's not just holiday rentals. The moment you add timeshare to the equation, things get expensive. We are a very small family business. 9 employees (4 of them cleaners) and just under 40 apartments. The minimum cost is well over $10k for the first year, and then over $5k per year thereafter. In other words, it would push up the IT budget by triple which is unaffordable. (All the 3rd party solutions we contacted start with products that can support 100 units or more. Since we're just 40% of that, we end up paying more and none will negotiate on price).
- Complexity. The card data will be hashed and only the company administrator will have access to the private key. Under Spanish law, the administrator is allowed access to card data and is ultimately responsible for it. No employee will have access to real card data (unless they are entering it manually which they must do). Most hotels will not do this. Next time you check in to a hotel, (especially abroad), have a look at the number of times they photocopy your passport / license and leave your booking.com reservation letter available on the desk. It'll have your full payment details (card number and all), on display.
- API integration. Most suppliers will offer API integration with booking.com or expedia, etc, etc...but not all so you end up having to choose. We want to integrate all 3rd parties that we work with, plus this would mean no employee would ever have to touch a credit card number (unless it's a reception or phone booking).
- Finally, coming back to the price, if you tie yourself into a product it costs a fortune to leave. Set-up costs, training, integration and you never own the software as it's all cloud based.
Anyway.....we're well into development already so it's all good....
I'm looking into PCI DSS compliance. I just had a chat with a colleague of mine who handles PCI (I work in online gambling so PCI compliance is incredibly strict in my business).
He recommended I look at Stripe or Braintree. Both of which are interesting. It is PCI compliant and allows manual credit card data entry which is what we need. The only pitfall is the cost. Our bank charges less than 0.5% per transaction which is a great deal. Especially so when you compare to most PCI providers which charge 2.9% + 30 cents per transaction. That's almost 6 times the cost, and once again; This is a small family business with no expansion plans so costs like this hurt quite badly. Braintree is however cheaper at 1.9% + €0.30 per transaction, but that's still 4 times higher!
At the end of the day, we have a lot to investigate but if anyone can offer any payment provider services that would allow us to handle card data, please let me know.
He recommended I look at Stripe or Braintree. Both of which are interesting. It is PCI compliant and allows manual credit card data entry which is what we need. The only pitfall is the cost. Our bank charges less than 0.5% per transaction which is a great deal. Especially so when you compare to most PCI providers which charge 2.9% + 30 cents per transaction. That's almost 6 times the cost, and once again; This is a small family business with no expansion plans so costs like this hurt quite badly. Braintree is however cheaper at 1.9% + €0.30 per transaction, but that's still 4 times higher!
At the end of the day, we have a lot to investigate but if anyone can offer any payment provider services that would allow us to handle card data, please let me know.
TooMany2cvs said:
beanbag said:
I appreciate what many of you are saying but we've looking into 3rd party solutions.
Just the card stuff. Seriously.But I will resolve it. After all, my wife is the administrator so she is the one that will be liable if things were to go tits-up and I would rather that didn't happen....
superlightr said:
not being to harsh I hope but the fact that x software is 3x your existing software budget or getting it done with a 3rd party provider which can deal with 100 units and you have 44 and thus not cost effective is shurly the wrong way to look at it.
Perhaps your budgets were unrealistic to start with and you have had a jolt into the current market rents?
As others have said that getting a proven software setup can be 'worth' more then just how much it costs you as you have peace of mind, reliability and backup.
We made a jump to a different system for houses and yes was more expensive but blimey its so much easier for compliance and use. Its vital to the business and would not go back to a made to measure software because its cheaper as inevitable its not supported and doenst do the job. Also if/when you come to sell the business other buyers will look for a recognised software they know.
The principle of what you are saying is correct, but there is a finite budget. The investment made this year has been in excess of four times the usual IT budget due to hardware and software upgrades, plus the need to create a PMS to suit our needs.Perhaps your budgets were unrealistic to start with and you have had a jolt into the current market rents?
As others have said that getting a proven software setup can be 'worth' more then just how much it costs you as you have peace of mind, reliability and backup.
We made a jump to a different system for houses and yes was more expensive but blimey its so much easier for compliance and use. Its vital to the business and would not go back to a made to measure software because its cheaper as inevitable its not supported and doenst do the job. Also if/when you come to sell the business other buyers will look for a recognised software they know.
The current software works but very badly, crashing frequently and reducing productivity and more seriously, with a loss of bookings as customers aren't willing to wait while the system restarts. It's basic conversion science.
So, we need a solution that works well before Easter, 2017. It has to fall into the budget that I currently have and within the existing IT budget. I negotiate contracts on a regular basis and perhaps it's because I represent a well-known company, that suppliers are willing to bend over to get our custom, I don't have that advantage as a small family company.
None of the suppliers that I have contacted are willing to negotiate their prices to suit our unit tally which is in my opinion, unacceptable. We simply don't make the profit necessary to support such costs so I am limited with regards to what I can choose. You end up losing your business if it can no longer make a reasonable profit no matter how good a software package may be. This is basic business science.
Short of the long; We need a solution that is both PCI compliant or within the legal bounds, and a PMS that support this system and manages the business efficiently. At least from my side we now have all the customer data and I've even managed to normalise it to a pretty reasonable 3NF standard. (Top marks to me for looking back at my old uni material)
I have a developer that can deliver what we need within our timeframe and more importantly within our budget. It might initially be a little rough around the edges but it'll be a lot more reliable and safer than the current system being used.
I appreciate many of you are suggesting an off-the-shelf solution, however the reality is we need a timeshare compatible solution (which instantly adds huge costs on top of a typical PMS), and they tend to cater only for resorts of 100+.
The business my wife operates is significantly smaller than this. Back in its heyday, they had over 100 units but over time have sold them off so it really is a small resort.
Short of the long. The business simply cannot afford a solution that charges €440 per month. The ultimate aim is to one day get rid of all the timeshare owners but they are entitled to keep their properties as long as they want so until that happens, we legally bound to manage that side of the business. I just hope that moment comes sooner rather than later!
The business my wife operates is significantly smaller than this. Back in its heyday, they had over 100 units but over time have sold them off so it really is a small resort.
Short of the long. The business simply cannot afford a solution that charges €440 per month. The ultimate aim is to one day get rid of all the timeshare owners but they are entitled to keep their properties as long as they want so until that happens, we legally bound to manage that side of the business. I just hope that moment comes sooner rather than later!
KevinCamaroSS said:
beanbag said:
I appreciate many of you are suggesting an off-the-shelf solution, however the reality is we need a timeshare compatible solution (which instantly adds huge costs on top of a typical PMS), and they tend to cater only for resorts of 100+.
The business my wife operates is significantly smaller than this. Back in its heyday, they had over 100 units but over time have sold them off so it really is a small resort.
Short of the long. The business simply cannot afford a solution that charges €440 per month. The ultimate aim is to one day get rid of all the timeshare owners but they are entitled to keep their properties as long as they want so until that happens, we legally bound to manage that side of the business. I just hope that moment comes sooner rather than later!
44 units, 440 Euros/month? That is only 10 Euros per unit per month! That is very small indeed to my mind. I really do suggest you take another look at it. It really is not worth risking a security issue when dealing with cards. Just my 10 cents worth (or 1% if you look at it another way The business my wife operates is significantly smaller than this. Back in its heyday, they had over 100 units but over time have sold them off so it really is a small resort.
Short of the long. The business simply cannot afford a solution that charges €440 per month. The ultimate aim is to one day get rid of all the timeshare owners but they are entitled to keep their properties as long as they want so until that happens, we legally bound to manage that side of the business. I just hope that moment comes sooner rather than later!
)Every penny saved makes a huge difference....
Gassing Station | Speed, Plod & the Law | Top of Page | What's New | My Stuff