All is NOT Well

Hear, speak, and see, no evil  RM

ECI’s Andrew Morgan pretty much lost it over my Disaster in Dallas post. Now, he has changed the story from one of his original emails describing the incident shown below.

In Morgan’s latest story (here) I am of course uninformed by, and unconnected to, the ECI elites. I’m just mean ol’ Rick out to get the poor and defenseless ECI. This sounds familiar.

In case you forgot, this was the same excuse provided by Morgan and crew the last time I dared to criticize their pathetically transparent OPSA fraud. Rick just doesn’t understand. Rick is just a United mouthpiece. Rick does not have all the facts. Rick is a liar. Rick’s a meanie. Rick did not consult with us. Rick is not agreeing with us. And on and on. This pat-answer bravado from ECI can all be boiled down to: “We here at ECI are better and smarter than everyone else and are above all forms of criticism.”

While I may not be better or smarter than the ECI elites, I do know bullshit when I see it. The problem with these ECI spokesmodels is that they have become so encased in their own propaganda that they actually believe it themselves. So let’s have a look at what they have to say. You decide who is telling the truth.

In Morgan’s most recent story, (here) he states that a ransomware virus was detected on the DDMS hosted environment and traced back to a legitimate user.

In one of Morgan’s original stories (below), he states that “we are taking the DDMS hosted environment offline.” He goes on to tell DDMS customers, presumably all of them, that two days of orders “will likely need to be re-entered.”

One user, at one dealership, took the entire DDMS hosted environment offline resulting in the loss of two days of business. These are Morgan’s own words. Let that sink in for a minute.

Now, attempt to reconcile these statements with this bit of propaganda from Morgan’s latest spiel: “security and data protection is a top priority for ECI.” You can’t reconcile these two contradictory statements outside the ECI bubble. The event he so willfully describes is clearly a massive security failure caused by a catastrophic lack of priorities.

Was DDMS hacked like I said in my post? According to Morgan, yes it was. Was data compromised like I said in my post? Again, according to Morgan, yes it was.

Morgan wants to split hairs on this one issue claiming the hackers did not carry away your data so there was no data breach. But: “theft or loss of digital media” is the definition of Data Breach according to Wikipedia. In Morgan’s own words, there absolutely was a “loss of data.”

This is only what ECI is admitting so far: DDMS hosted was hacked, shutdown and there was a substantial data loss. What else happened? Who knows? We may never know. I do believe what the few dealers willing to talk about it have to say about the DDMS system. These are long time users of the DDMS system, not clueless presenters. Dealers, who by the way, are terrified of what Morgan will do to them and their businesses if he finds out they are talking to me. I have to be really careful. Morgan is obsessed with finding out who these dealers are. How dare they, after all.

This all confirms the broader point I made: “The ECI bankers only care about making money.” They don’t care about security and they don’t care about your business. You are just an asset to be stripped and flipped to the next banker in line. How many has it been now? Four or five? I lost count. A flip is due any day now, so keep that in mind.

Here is one of Morgan’s original stories regarding the incident:

Dear DDMS Customer,

We wanted to update you on the emergency maintenance being performed on the DDMS hosted environment this weekend.

As a recap of previous communications:

On Sunday we informed you that we were taking the DDMS hosted environment offline for emergency maintenance purposes. As part of our proactive monitoring procedures, ECi detected a potential security threat in one of our datacenters. ECi security and operations staff quickly responded and instituted emergency maintenance procedures to protect your data and ensure business continuity. Immediately upon discovering the potential issue, our IT staff isolated the case and at present we do not believe any dealer’s data within DDMS has been breached. ECi staff continues to work around the clock to resolve the issue.

At this point all systems have been restored and services are functioning.
If you encounter any issues with the hosted environment, please log onto the Support Portal or call Support and choose the option “Hosted”. For other inquiries, such as end-of-month or OPUS loads, please select the “DDMS” option on the Portal or when calling Support.

Due to the nature of the maintenance, orders placed on Saturday (5/28) and Sunday (5/29) will likely need to be re-entered. The ECi team will be proactively sending these reports to you to facilitate this process.

ECi is committed to supporting you and your business. We will continue to evaluate our policies, procedures and control mechanisms to ensure that your systems are safe and secure.

Andrew Morgan
President, Distribution Division

All is Well

Hear, speak, and see, no evil  RM

Below is ECI’s Andrew Morgan’s somewhat long winded response to the Disaster in Dallas post:

August 24, 2016

Dear Valued ECi Customers:

We are writing to set the record straight regarding the security and protection of our DDMS/DDMSPLUS hosted systems, your business management software and your data.  Please be assured that the security and protection of our dealers’ systems and their data is a top priority for ECi —thousands of dealers around the country trust us to protect their most valuable information, and this is not a task we take lightly.  ECi employs industry-standard best practices, tools and technologies to protect your valuable data and business systems and works diligently to try to stay one step ahead of those that seek to compromise our systems.

To provide some background, over the Memorial Day weekend, through ordinary event logging, ECi discovered a piece of unauthorized code on the DDMS hosted environment.  We traced this to activity by a legitimate user of the system who inadvertently spread a virus often referred to as “ransomware;” the code sought to block user access to certain files unless a “ransom” was paid.   In an abundance of caution, ECi’s IT Security team immediately initiated its security protocols, deactivated access to DDMS/DDMSPLUS, reset all data backups, ran security validations and worked around the clock to have the software up and running again in time for the opening of business Tuesday morning.  ECi also engaged a nationally recognized IT security firm to independently test the DDMS/DDMSPLUS hosted environment to assist in remediation.  We are happy to report that they concluded no data was breached as a result of this incident.

Recently, Rick Marlette of OP Software, LLC published a false and misleading article regarding the above incident. Marlette has made a habit of authoring defamatory articles in various media about ECi and his other enemies that we have largely chosen to ignore.  However, this article caught ECi’s attention because it was so replete with lies, misrepresentations, falsities and scare tactics that it might naturally cause angst among the dealer community and distract you from your business if it went unanswered.

First, don’t believe for a minute that Marlette is an unbiased “reporter” fighting for the welfare of the dealer community; he’s a typewriter bully with an axe to grind with ECi and his article is another self-serving attempt to damage ECi’s business.  Second, Marlette cites no sources in his article, provides no proof of any of the alleged activities, and seeks to capitalize on fear-mongering by offering conjecture, speculation and “what ifs” without any facts to back it up.  Third, he has not spoken with anyone on ECi’s leadership team regarding the incident to try to validate his claims.  His article refers to such things as “reports are starting to trickle in,” “it appears that …” and “I was told by a reputable source.”  If he really has credible sources to support his claims, why does he not cite any by name?

Marlette’s article also makes unsubstantiated claims about DDMSPLUS and PCI compliance, another subject about which he clearly lacks any credible knowledge.  DDMSPLUS utilizes a vault solution so that credit cards are not stored in the system nor does credit card data ever flow through the system.  By doing so, DDMSPLUS is purposely “out of scope” from a PA-DSS perspective and therefore allows dealers to be PCI Compliant.  PCI still requires dealers to meet the standards for PCI compliance regarding their own organization, but this is a typical solution that many software providers implement to ensure credit card security. It has been endorsed by numerous independent consultants that focus on PCI compliance and security.

We all know people like this and we fully expect that he will now try to engage ECi and our dealers with more lies upon being presented with the facts.  We want to be clear up front that this will be our only public response to this nonsense.  He has already wasted enough of the industry’s time with his calculated untruths.  We sincerely hope that if anyone wants the facts about data security and system integrity as it pertains to ECi’s software systems that they will contact ECi. Don’t get caught up in the fear-mongering of industry bloggers who seek to perpetuate lies and falsities about systems they know nothing about.

We have set up an email address – – to which you may submit any questions regarding your system’s security and our team will provide a prompt response.


Andrew Morgan
President, Distribution

Disaster in Dallas

Mature adult businessman smashing laptop on fire with hammer

Well it happened. Reports are starting to trickle in regarding the extent of the ECI hacking earlier this year. It appears the hackers got everything, credit cards included. We know for certain that DDMS cloud based systems got hacked, and you can bet that was not all.

I’m going to believe what I was told by a reputable source that DDMS is not PCI compliant. I’m also going to believe that ECI’s stunning answer to this problem was to convert to DDMS Plus, which they claim is PCI compliant. They failed to mention that, along with a multitude of other deficiencies, DDMS Plus will not even take credit cards.

So what does this mean to the typical cloud based DDMS dealer? Here is a warning from one of the many websites dedicated to PCI compliance about what can happen if you get hacked and are not PCI compliant:

Should you experience a breach and fail to prove your continued compliance with the PCI standard you will be forced to cover chargebacks, have your ability to process credit cards suspended, and escalation into a higher compliance tier, and tens of thousands in annual compliance auditing costs.

Now the question has to be what else did they get? Is your raw sales data already out there on the Darknet? Your customer name, every item they bought and the price, for how many years now? Do the hackers know the value of what they have?

My Analyst was the invention of Wilbur Reid who, after promising dealers the moon and stars, left SPR in disgrace when the inept SPR IT department could not hold it together. Then, in yet another stroke of brilliance, SPR dumped My Analyst, the dealers and all that confidential business data on the evil empire that is ECI. There you go dealers, the bankers will take care of you.

Well guess what? The bankers took care of themselves and the dealers are left holding the bag. Does this sound familiar? What started as an SPR scam to increase their profits may end up putting hundreds if not thousands of dealers out of business. Think Mason with ALL your sales history data and you’ll see what I mean.

Let’s don’t forget that your cost is in there too. So now your competition knows exactly where to strike, exactly where your vulnerabilities are. This takes the reckless disregard of confidential business data to an unprecedented level.

I’m going to go look on the Darknet for your data. I’ll let you know what I find.Understand that if I do find it, there is nothing I can do to keep others from getting their hands on it. Frankly, as valuable as this data will be to your competitors, and the fact that it could very well cost you your business, it’s hard to place all the blame on SPR and ECI.

SP Richards DataGate, The Trojan Horse

Hacker spy your data file

Recent filings in the SP Richards’ (NYSE:GPC) DataGate Federal lawsuit have detailed what any hacker or security expert would call a Trojan horseIn computing, Trojan horse, or Trojan, is any malicious computer program which is used to hack into a computer by misleading users of its true intent.

Many dealers do not understand or appreciate the significance of data theft and how it has skyrocketed into a multi-billion dollar criminal enterprise. All of today’s professional hackers are after your data, including purchase history (buying habits). Simply your name and address is valuable to hackers and can be devastating in the wrong hands. All the security experts agree: Always shred anything with your name on it.

So what about your business data? Do protect your customers’ data? Do you protect it like your business depended on it?

The top criminal hackers aren’t generally interested in personal info on 1,000 companies or individuals. These professional hackers are after tens of thousands or hundreds of thousands of records. Allowing your sensitive business data to be uploaded to a central depository is putting a big red bow on it and saying, “Here it is hackers, come and get it.”

And that may have already happened earlier this year when ECI was hacked. You didn’t hear much about it, you never do. Of course they claimed nothing was compromised. The truth is that it is usually impossible to tell exactly what happened, what the hackers got, and what data was compromised until it shows up for sale on the Dark Net.

If you think ECI is going to protect you, better think again. Hackers have successfully penetrated some of the most sophisticated networks on the planet. ECI is child’s play to these professional criminals. Let’s also don’t forget that ECI is owned by bankers and has been for a very long time. Bankers don’t make software, bankers make money.

Who do you think is going to be held liable when that big customer of yours finds their data has been compromised and traces it back to you? It’s not hard to trace the source of data breaches any more. Many companies and individuals, including myself, are starting to add traceable identifiers to any personal or company contact info provided to others. This lets us know when our data has been compromised and by who.

The reason? Proving someone has been careless with your data, especially when they lie about it, is worth a lot of money. Home Depot has settled their data breach for $13 million dollars. It cost Target $39 million. And the list goes on. AvMed, $3.1 million. Stanford, $4.1 million. Sony, $15 million. LinkedIn, $1.25 million. Everyone is taking data security seriously today, and those that don’t are going to pay big time.

Whatever you do, don’t lie to your customers about it. Never tell customers you don’t share their data with third parties if you participate in one of these ECI/SPR data schemes. Because you ARE sharing sensitive customer data with third parties, and with NO restrictions – read the contract. If you lie and claim you don’t share sensitive customer data, when in fact you do, you can be held doubly liable when it all goes bad.

Don’t make the mistake of assuming that purchase history data is somehow exempt and not considered sensitive data. Of course it is sensitive data! Advertisers will pay top dollar for your buying habits so they can bombard you with targeted ads. This is considered by most as an invasion of privacy. Deliberately exposing your customers to this invasion without their permission is asking for trouble.

Then there is the competitive disadvantage of sharing your customer’s data. Would you approach your rival’s biggest customer, perhaps a bank or healthcare provider that would be especially sensitive to data security? Would you make it known to this large customer that their current supplier is exposing them to exploitation by providing their complete and detailed purchase history, unrestricted, to third parties? Would you also let this large customer know that their current supplier has likely lied to them regarding this data sharing?

What about government agencies? Do you have any government business? Do your government customers know you are sharing their buying habits and perhaps other sensitive data, unrestricted, with third parties? This one I would be especially worried about. Depending on the agency and terms, you could face hefty fines and even criminal charges if they find out you are not protecting their data.

Don’t buy the excuse that “we only sell your data aggregated.” While that could be true, you on the other hand, as the dealer, are providing complete details on ALL your customers’ purchase history to a third party without restrictions. Just because they say they aren’t selling your complete customer lists and detailed purchase history doesn’t change the fact that they have it. It also doesn’t change the fact that when that third party gets compromised, you will be the one held liable for the mishandling of your customers’ sensitive data.

While I understand that there is a value to some of the services being offered in exchange for your data, is the potential harm worth the value? This is the whole point of a Trojan horse. It’s pretty to look at, but inside is a deadly payload designed solely for the benefit of the hacker.

SP Richards Sued, Part 2


SP2-BlogIt’s just this one guy mad at us because we won’t let him come to our show. Those two guys are just trouble makers and you shouldn’t pay any attention to them. And then there were three. What’s the excuse now?

Gilbert Walter of eQuality Internet Services now says he too is on the ‘official’ uninvited list for the SP Richards ABC show. Seems that Mr. Walter agrees that dealer data belongs to the dealer and sharing it with third parties is unethical. Mr. Walter’s position is in conflict with the SP Richards corporate policy and Mr. Walter must be punished. See his complete statement below.

I first conflicted with the SP Richards corporate policy when I refused to allow them to include my competitive data, for free, in their My Analyst product. It took legal action to finally get them to remove it. So you can imagine my surprise when, out of the blue, Stacy Bell contacted me inviting me to the ABC show.

Upon entering the exhibit hall, front and center are Stacy Bell and Wilbur Reid waiting to greet me. Above their head is a large sign attached to the My Analyst booth that said: “Item411 Gets the Price Wrong!” I was no longer surprised.

I signed up five of the largest SP Richards dealers at that show. The next year when I contacted Stacy Bell, well in advance, about coming to the ABC show, no booths were available. Of course I knew this was just an excuse. Others who did go confirmed the fact that there were plenty of empty booths available at that show.

Two years ago, I was invited to the ABC show by an SP Richards vendor. This vendor wanted me in their booth because of my experience and knowledge in the industry. I’ve done this many times, with many vendors, at many shows, over the last 30+ years. This long history of guest booth appearances had also included a few guest appearances at SP Richards’ competitors Lagasse and Essendant. I explained to this vendor that this could be a problem. The vendor stated: “Don’t be ridiculous, everything will be fine.”

I signed up, paid up and showed up. I went to the registration desk and said “Hi, I’m Rick Marlette and you should have a badge for me.” They gave me my “Rick Marlette” badge and off to the vendor’s booth I went.

Everything did go fine, up until the last hour of the show. Then Paul Gatens asked me to leave. Well not actually Paul Gatens, apparently he’s afraid of me. Paul recruited a hotel security guard to do the deed. I demanded that the security guard identify the person behind the request to throw me out. I was escorted over to a sheepish looking Paul Gatens. I forced Paul to shake hands with me before I left.

SP Richards is certainly entitled to invite or exclude anyone they want. It is their show. It’s the lies and childish behavior that I take exception to.

No sensible person is going to believe this “it’s just one disgruntled guy” excuse anymore. Two may be company, but three is a crowd. It doesn’t end with these three documented instances either.

There are more system providers that are far too afraid to speak out. It’s not just about being denied access to the ABC show. The SP Richards army of sales reps play an important role in which system providers dealers look at, or even worse, switch to. You can bet the reps are biased. They better be if they want jobs. Phrases like “Supports SP Richards programs” are code for “They’re on board, better choose them.”

SP Richards is not the only one that has choices when it comes to what you should or should not be allowed to see. You and I have choices as well. I will be making a guest appearance at the AOSWare Product Demonstration just across the street from the Gaylord and the ABC show. I will be in the Marriott Residence Inn Boardroom Friday July 22 from 8:00 AM until 5:00 PM and again on Saturday July 23 from 8:00 AM until 5:00 PM. Everyone is invited, including Paul Gatens.

If you are worried about your current system providers long (or short) term prospects, if you feel your system provider has been reckless with the trust you have placed in them, or you just have general questions about the future, please drop by.

If you want to know more about what may be going on behind your back, check out these two posts:

April 2013 where I tried to warn UK dealers about ECI and UK wholesaler VOW’s attempt to mimic what was already well underway in the US:  The Americans Are Coming.

June 2013 recap of FIVE separate posts showing complete details into how this data grabbing scam works: Analyze This, Recap

Here is Gilbert Walter’s complete comments in response to the first SP Richards Sued Post:

This might explain why eQuality Internet was once again uninvited to the ABC conference this year. We’ve refused requests from both wholesalers to provide them with dealer information for years now. I was told all the other software companies were doing this, and we needed to fall in line. Dealer data belongs to the dealer. It is unethical to provide this information to 3rd parties. Glad to see AOSWare believes the same thing.

SP Richards Sued Over Dealer Data


This is a Federal lawsuit and it is public information (for a small fee of course). I am not a lawyer so all of this is just my personal opinion after reading the complaint and adding two and two together. Links to the mentioned documents are below.

This begins with a screen capture of an email from over a year ago. The screen capture was taken by me without permission during a webinar of AOSWare. I do not know if I was intended to see this email, or it was, as I have done myself many times, the presenter happened to have emails or other files open before a webinar starts.

This email screen shot may be difficult to read, because it was hastily grabbed, but if you blow it up and scroll, you can see that it is an email chain originating from Glenn Bousquet at SP Richards and addressed to Sonny at AOSWare.

This is not about an individual at SP Richards. I do not even know Glenn Bousquet, and I don’t need to. I can see the inherent SP Richards culture in the framing and phrasing of this email. The same culture that has permeated SP Richards for some time now. A culture that has effected many, but certainly not all, SP Richards representatives.

The email starts out with a question “Are you going to be at the ABC this year?” Not by coincidence this exact same question is repeated again in the chain. Understand that this is an ill-concealed threat. SP Richards uses the ABC show as leverage to keep the system providers in line. You can take my word for it: If you don’t give SP Richards what they want, you will be banned from the ABC show.

Glenn goes on to say in the email, “I was finally given the approval to move forward to establish a fair agreement in paying AOSWare for the setting up and maintaining data feeds.”

This was clearly SP Richards attempting to entice AOSWare into surreptitiously providing SP Richards with confidential dealer data. Confidential dealer data that AOSWare would supposedly have access to as a normal course of their business.


That was my first reaction, and why I grabbed the screen shot before it quickly went away. As you read further you see much more in this email. Glenn did not really need “approval.” This was just a veiled attempt to make it appear that AOSWare was special. Because as you read on you see: “this is very consistent in what we have set up with the other software vendors.”

Notice Glenn doesn’t say “some” of the other software vendors, or “a few” of the other software vendors, but “the” other software vendors. Glenn is making a clear point here: Your competition is doing it, and AOSWare better get on board or suffer the consequences. Glenn also seems to be saying that this is standard operating procedure at SP Richards. Everyone is in on it, no worries, nothing unusual going on here, move along.

Then there is the money. Lots of money. Assume just 100 dealers and you are looking at SP Richards offering AOSWare a $25,000 prebate (set up fees) and $10,000 per month “on-going” for SP Richards to gain what I assume to be full access to AOSWare confidential dealer/customer data. Pretty tempting huh?

If you are an AOSWare customer, understand this is your data, your property, that SP Richards is negotiating to buy. SP Richards will of course dodge all responsibility claiming that it’s all on AOSWare. AOSWare should disclose to the customers that their data is being hijacked. AOSWare should share this windfall revenue with the customers. Do you really think this is SP Richards plan? Full disclosure and fair sharing of revenue?

At the top of the email you see that AOSWare is declining the SP Richards offer. This is going to be a HUGE problem for AOSWare.

You do not say “no” to SP Richards if you know what’s good for you. I know from personal experience that certain SP Richards representatives can turn into vicious vindictive assholes if you dare stand in the way of what they want. Never mind their vitriol may cause harm to dealers. It’s all about puffing the ego and putting people in their place.

One last point about this email and we’ll move on. Notice that Sonny ends his reply to this email with “Sorry I will not be at the ABC show.” Sonny knows, everybody knows, that AOSWare will now be banned from the ABC show for refusing to do SP Richards bidding. Vicious, vindictive assholes.

Switching to the complaint filed in Federal Court, as I read it, paragraphs 12 and 13 state that SP Richards and AOSWare shared confidential information including AOSWare’s customer list.

Paragraphs 14 and 15 of the complaint I believe to be references to the event taking place in the email. Paragraph 14 speaks to “key employees of SPR” approaching AOSWare requesting AOSWare cooperation. Paragraph 15 states that on each occasion AOSWare declined these requests.

I read paragraphs 18, 19 and 20 to claim/imply that SP Richards and ECI approached AOSWare customers using the confidential customer list provided under the claimed non-disclosure.

In my opinion, very briefly and in a nutshell, what it appears that the complaint is alleging:

SP Richards did not take kindly to being told “no” by AOSWare to set up a direct feed of dealer data from AOSWare to SP Richards.

SP Richards then went to their second source of obtaining dealer data, ECI’s Acsellerate. Second because SP Richards knows that ECI will likely cost more than dealing directly with the system provider.

ECI was given AOSWare’s customer list (allegedly) and told to go market Acsellerate to the AOSWare customers. This is a ploy hoping to force AOSWare into an integration, by having AOSWare customers demand an Acsellerate integration with AOSWare, wherein SP Richards would then gain access to the dealer data VIA ECI, allegedly.

It appears that SP Richards’ unquenchable thirst for dealer data was denied by, and if you believe the email, the only ethical system provider in the industry. SP Richards then pitched their usual tantrum, but this time overstepping bounds and winding up in Federal court.

This behavior by certain SP Richards representatives is inexcusable and indefensible. It’s high time they were called out on it. Thank you AOSWare for having the courage to stand up for and protect the dealers rights.

If you are a system provider, stop putting up with the bullying. The ABC show isn’t all that. If you are a dealer, call your system provider and ask if your data is being sold to third parties. Glenn seems to imply that they are all doing it, so find out for sure and get a cut at least.

You know that if SP Richards is offering $100 per month for your data, it’s worth a HELL OF A LOT more than that to them.

Email Screen Capture



Amazon Business Baloney


Amazon announced last week that their new Amazon Business division had reached one billion dollars in sales. Impressive, right? Not so fast.

First I have a confession to make: My wife had an Amazon.COM account. I say had because she converted it to an Amazon Business account. The promised perks are so appealing, who could resist? It was real simple too, just answer a few on-line questions and you’re done.

So now when she buys her running shoes or a book for her Kindle on Amazon, those sales dollars likely get chalked up to Amazon Business. Of course it’s not a business expense and of course she uses her personal credit card, but let’s don’t let that get in the way. The numbers are in!

Now it’s also likely that every purchase made by these so called “Business Accounts” from all those other used-to-be-regular customers gets added to the Amazon Business tab and abracadabra, a Billion Dollars!

They don’t let you switch back (or we can’t figure out how) nor will they let you create a separate personal account with the same email address. It’s Amazon Business or nothing from then on.

The truth about Amazon Business is much more likely to be in line with Prentis Wilson’s sworn testimony: Amazon Business “had no big corporate customers, did not stock shelves and often did not bid for a customer’s business.” He went on to say: “At this point, Amazon Business does not negotiate contracts with large business customers,” and when asked if Amazon was the primary supplier to any company with revenue over $250 million, Wilson said, “Not to my knowledge, no.”

Nice try Amazon. In my opinion this is just another hat trick to sucker in some investors while insiders sell, sell, sell.