During my investigation into BBX I established that a security problem existed in the storage and access of critical financial and personal information within the company management systems. I advised the public by way of my blogs, and other key people and entities, alerting them to the issues involved. These issues are at a criminal negligence level, depending on the jurisdiction. This is now the formal public notification of this data breach, issued in the form of a Media Release.
[ORIGINALLY POSTED in February 2017 at http://www.dennis.co.nz/2017/02/media-release-bbx-data-security-breach-14-february-2015/index.html]
The media release detailed below formally warns the public and BBX International franchisees/members that a serious data breach has occurred. There are several factors within this Media Release that increase the seriousness of the situation:
- The data security breach has been longstanding – years. This means that critical data can be and probably has been accessed by many people from many countries (at least eight that I know of: New Zealand, Australia, Malaysia, Hong Kong, Singapore, China, India and the UK) and potentially dozens of people in senior positions and potentially who knows how many staff during the years the problem has existed.
- The data security breach contains financial data that would be considered ultra critical and highly sensitive information of the highest order. I will repeat that put another way. There is information available of a nature that being exposed goes beyond a simple breach of PCI compliance into a criminal nature. We are not talking of simply somebody seeing your account balance or just getting your credit card name and number . . . no, this is simply the start. In the Media Release I quote an expert that I spoke to who told me this, “Dennis in all my years of IT security work this is the worst case I have ever seen”. I don’t lie and I have a lot of experience at my fingertips including some very experienced IT specialists.
- With the demise of BBX imminent, the likelihood of the compromised data being extracted and being copied to other parties will increase exponentially as the various Franchisees act to protect their own interests. Imagine that you are going to lose access to your clientbase which will include as a by-product sensitive client information – what would you do? You would be likely protect your livelihood and income streams. This data WILL CERTAINLY be compromised very shortly.
- The likelihood of cooperation from the company is low unless forced into a position that they must act. This is a company that has refused to address this issue even though it has been raised repeatedly over years yet hid it and pushed it under the carpet – deliberately, knowingly and this attitude continues to exist to this very day.
- The data HAS been compromised. I have seen enough evidence that I KNOW that the data has been compromised. I strongly suspect that it has been compromised more than once too over a long time, but that the perpetrators are choosing not to use it or sell it. For what reason(s) I could guess but it doesn’t change the facts that while the worst case scenario for BBX and BBX Members (they all lose their entire Credit Card balances etc etc) may not have occurred yet, it’s an inch away from possibility. I, and the banks, assess this is a RED ALERT situation for all BBX Members.
- I can but will not contact any BBX Member proactively. I have no need or interest in doing this and as an investigating blogger determined to close the BBX operations down, I don’t NEED to do more. My focus is on moving forward and securing the evidence that the authorities need for convictions. I believe that with this Media Release, the industry and this includes the industry watch-dog IRTA, other barter trade exchanges and everyone associated with BBX should take up the cause and stop the rot. This financial data breach is too serious an event for one blogger to take responsibility for. I have and will answer individual calls as or when I can and offer advice, but I have done what I consider my job getting the message out here – plus I am halfway through writing the book Bartercard SECRETS, which has taken on an urgency now that wasn’t there before BBX’s demise. There are also various ethical and legal considerations that make it a marginal exercise for me personally.
To the Barter industry I suggest to you, the following questions:
- When did IRTA receive notice of publication? Answer: It was prior to publication on 10th February 2017.
- Did this include information relating to serious data security issues (and other serious offences) that should have initiated action on their part? It did.
- Did IRTA speak to me or establish facts sufficient for immediate termination of BBX forthwith; and did they have access to that information? The Answer is no, but they could have and did have.
- Does it concern you that potentially 88,000 carholders of an International barter exchange in more than half a dozen countries is getting roasted online, is clearly going down and now shown to have massive data security issues? What have you done about it?
To BBX International Franchisees, particularly those who have defended the brand and business of BBX and to the ex Franchisees and ex staff members and current staff members . . . did you and/or will you stand up and be counted, or will you go down with the ship? I’d prefer to be a rat that jumped ship and SEEN as a rat abandoning the ship rather than to hide from sight and go down with it. This is your chance to stand up and be counted. Once it is gone it is too late to claim any credit. You will just be seen as one joining in on the bandwagon. Affirmative action in public now will cement you in the minds of others forever as proactive and standing for ethics. Failure to act will be seen as complicity.
There are multiple criminal acts that have occurred within the BBX operations and going back many years. Many people know this although few people know the lot. Somebody, somewhere, sometime has the opportunity to come forward and do the honourable thing. The Police in many countries know already and are just ready and waiting to hear your story.
There are two clarifications I wish to give . . . the two quotes supplied by BBX CEO Carolin MacDonald and IRTA’s Ron Whitney, are actual quotes from actual words spoken and written, about the subjects PRIOR to issuing this Media Release. The reasons for this use of aged quotes are that the Media Release was held until the appropriate authorities knew and did what they had to do before it could go out, and obviously cooperation from the two entities mentioned has been rather ‘difficult’ shall we say. It is an expectation that a Media Release contain some aspect of a story with life, and human input from multiple parties. I consider the use of these quotes accurate in the context of the entire BBX saga though.
This then, is the Media Release in PDF format and HTML format that warns the public that up to 88,000 cardholders within the BBX International system are victims of a serious data security breach. Note also if you know or should have reasonably known of this and you did not act, guess what your chances are of claiming back any resulting losses from this point onwards? Hmmmmm! Likewise with the various jurisdictions and failing to report crimes. I cannot over emphasise the extreme seriousness of this situation:
FOR: IMMEDIATE RELEASE
DATE: 14 FEBRUARY 2017
FROM: DENNIS A. SMITH, INVESTIGATIVE BLOGGER
SUBJECT: SERIOUS DATA BREACH – 88,000 CARDHOLDERS
CONTACT: www.dennis.co.nz, email@example.com; +64 272 046-112
BARTER COMPANY DATA BREACH
Affects over 88,000 cardholders of barter company, BBX International
Auckland, New Zealand: Investigative blogger Dennis A. Smith warns that critical financial and personal information from members of an International barter company, BBX International has been seriously compromised.
He states that credit card companies Mastercard & VISA have already been advised and that all BBX members are advised to contact their Credit Card Fraud Office immediately and follow their instructions.
“According to what I have been informed, this is considered to be a very serious breach of data security,” Mr Smith says, “From information received to date, the breach appears to be an internal management issue rather than a hacking attack affecting all members internationally”.
He explains that a data security expert noted that this was the worst example of reckless data management that he had ever seen. Mr Smith explained the significance, “In this case, critical financial information is visible by all staff, internationally, stored in plain text format and even on offshore servers without client knowledge or approval. This a flagrant breach of banking guidelines and many financial laws!”
The banking industry has tightened regulations surrounding the storage and transmission of personal and financial data in the last decade. “PCI [Payment Card Industry] compliance is an absolute must for all businesses nowadays,” Mr Smith says. “It’s part of a worldwide effort to combat cyber-crime and money-laundering with substantial inter-bank fines issued for security breaches”.
BBX International CEO, Carolin MacDonald has confirmed that the number of cardholders displayed on the company website (slightly over 88,000) is correct and up-dated in real-time.
All BBX International Franchisees, Agencies and Members are affected;
The risk of Members’ critical financial information compromised is high;
Major Credit Card companies have been advised;
Investigations are on-going and of an international nature.
Mr Smith says that the company has been warned more than once of the risk. “My investigations have unearthed evidence of repeated warnings for some years. Management resistance to basic security and banking compliance seems to indicate a cavalier style that unfortunately under investigation has brought serious problems to the surface.”
BBX International is a member of IRTA, the International Reciprocal Trade Association. President and CEO, Ron Whitney says, “IRTA is extremely concerned about the BBX situation . . . We of course are conducting our own review of the matter and will take appropriate action once we have all the facts.”
Recommended action: All parties affected should contact their issuing Credit Card Fraud/Security service and follow their instructions. They may wish to also instruct their local branch of BBX International to remove their financial and/or personal information from any insecure system.
About the Author: Dennis A. Smith is an author and investigative blogger operating from New Zealand. He specialises in providing analysis and commentary in the alternative currency sector which includes commercial barter. His investigations include the international Ormita fraud, the report of which led to the fraud’s speedy closure; a three-year expose of a Dutch scam & his book The Qoin Con that led to Qoin’s bankruptcy for more than £500k; a damning analysis of the Australian barter company, Bartercard which he claims operates like a Ponzi Scheme, and more recently, The BBX Investigation, in which his blogging has revealed serious deception & management deficiencies across eight countries.
The BBX Investigation Series
- PUBLIC WARNING: BBX Barter (2381 words)
- 2. War Erupts Within BBX Barter (4090 words)
- 3. BBX is Busted – Working it Out (2388 words)
- 4. BBX has big, Big, BIG Problems (1778 words)
- 5. The Demise of BBX (3489 words)
- 6. BBX – A Summary (1308 words)
- 7. Reflections on Investigating BBX (6394 words)
- 8. BBX – The First Criminal Charges (3625 words)
- 9. BBX Crimes – The Significance (2,710 words)
- 10. BBX Causes Problems for IRTA (2,251 words)
- 11. BBX: Rats Off a Sinking Ship (1,715 words)
- 12. BBX Data Security Breach (1,852 words)
- 13. BBX Threatens – Sue Me PLEASE! (1,511 words)
- 14 The BBX Knives Are Coming Out (1,791 words)
- 15. BBX Memberships – Names in a Database (2,774 words)
- 16. BBX UK & The Franchise Show (2,840 words)
- 17. OPEN LETTER 1 – BBX Members (162 words)
- 18. BBX Currency Analysis – 10c/$1.00 (1,527 words)
- 19. The BBX People Speak (11,726 words)
- 20. More Words from BBX People (15,206 words)
- 21. How BBX Did It – Lies & Theft (3,663 words)
- 22. BBX – Winding Down/Winding Up (3,217 words)
- 23. BBX New Zealand Analysis (828 words)
- 24. BBX UK Membership Analysis (1,143 words)
- 25. BBX NZ – Serious Fraud Office (1,261 words)
- 26. BBX – Thailand Member Analysis (1,165 words)
- 27. BBX Minor Countries Analysis (574 words)
- 28. The BBX People (2,290 words)
- 29. BBX International in a Nutshell (295 words)
- 30. The Raw BBX Data (4,463 words)
- 31. BBX Members React – It’s War (5,617 words)
- 32. BBX and Issues of Morality (1,363 words)
- 33. Warning to BBX Staff & Associates (1,944 words)
- 34. BBX Devaluation Helps With Tax Losses (1,269 words)
- 35. BBX Rips Open the Barter Industry (1,237 words)
- 36. MEDIA RELEASE: Barter Tax Avoidance Warning (516 words)
- 37. BBX Whistleblower: Cameron McKean (4,994 words)
- 38. The BBX Investigation Final Comments (1,504 words)