Below is ECI’s Andrew Morgan’s somewhat long winded response to the Disaster in Dallas post:
August 24, 2016
Dear Valued ECi Customers:
We are writing to set the record straight regarding the security and protection of our DDMS/DDMSPLUS hosted systems, your business management software and your data. Please be assured that the security and protection of our dealers’ systems and their data is a top priority for ECi —thousands of dealers around the country trust us to protect their most valuable information, and this is not a task we take lightly. ECi employs industry-standard best practices, tools and technologies to protect your valuable data and business systems and works diligently to try to stay one step ahead of those that seek to compromise our systems.
To provide some background, over the Memorial Day weekend, through ordinary event logging, ECi discovered a piece of unauthorized code on the DDMS hosted environment. We traced this to activity by a legitimate user of the system who inadvertently spread a virus often referred to as “ransomware;” the code sought to block user access to certain files unless a “ransom” was paid. In an abundance of caution, ECi’s IT Security team immediately initiated its security protocols, deactivated access to DDMS/DDMSPLUS, reset all data backups, ran security validations and worked around the clock to have the software up and running again in time for the opening of business Tuesday morning. ECi also engaged a nationally recognized IT security firm to independently test the DDMS/DDMSPLUS hosted environment to assist in remediation. We are happy to report that they concluded no data was breached as a result of this incident.
Recently, Rick Marlette of OP Software, LLC published a false and misleading article regarding the above incident. Marlette has made a habit of authoring defamatory articles in various media about ECi and his other enemies that we have largely chosen to ignore. However, this article caught ECi’s attention because it was so replete with lies, misrepresentations, falsities and scare tactics that it might naturally cause angst among the dealer community and distract you from your business if it went unanswered.
First, don’t believe for a minute that Marlette is an unbiased “reporter” fighting for the welfare of the dealer community; he’s a typewriter bully with an axe to grind with ECi and his article is another self-serving attempt to damage ECi’s business. Second, Marlette cites no sources in his article, provides no proof of any of the alleged activities, and seeks to capitalize on fear-mongering by offering conjecture, speculation and “what ifs” without any facts to back it up. Third, he has not spoken with anyone on ECi’s leadership team regarding the incident to try to validate his claims. His article refers to such things as “reports are starting to trickle in,” “it appears that …” and “I was told by a reputable source.” If he really has credible sources to support his claims, why does he not cite any by name?
Marlette’s article also makes unsubstantiated claims about DDMSPLUS and PCI compliance, another subject about which he clearly lacks any credible knowledge. DDMSPLUS utilizes a vault solution so that credit cards are not stored in the system nor does credit card data ever flow through the system. By doing so, DDMSPLUS is purposely “out of scope” from a PA-DSS perspective and therefore allows dealers to be PCI Compliant. PCI still requires dealers to meet the standards for PCI compliance regarding their own organization, but this is a typical solution that many software providers implement to ensure credit card security. It has been endorsed by numerous independent consultants that focus on PCI compliance and security.
We all know people like this and we fully expect that he will now try to engage ECi and our dealers with more lies upon being presented with the facts. We want to be clear up front that this will be our only public response to this nonsense. He has already wasted enough of the industry’s time with his calculated untruths. We sincerely hope that if anyone wants the facts about data security and system integrity as it pertains to ECi’s software systems that they will contact ECi. Don’t get caught up in the fear-mongering of industry bloggers who seek to perpetuate lies and falsities about systems they know nothing about.
We have set up an email address – firstname.lastname@example.org – to which you may submit any questions regarding your system’s security and our team will provide a prompt response.