Old IT won't provide documentation or passwords
-
@syko24 said in Old IT won't provide documentation or passwords:
So I am working with a new client and have reviewed what equipment they currently have in place. Couple items of concern are that the old IT company has not provided any information and refuse to hand over passwords. They have told the office manager of the company that it would be a security risk for them to have the passwords. My question is will a domain registrar allow the company to reset the password or is this going to have to go to the attorneys? Old IT also controls the Office365 account. All the internal equipment - servers, switches, and routers I can likely factory reset in order to regain access.
Providing information/documentation is not anything you can do about. But passwords? Go immediately to an attorney, and then to the police if the attorney says that nothing in the contract terms gave ownership to the prior support company.
-
@Dashrender said in Old IT won't provide documentation or passwords:
Classic error as many have said around here before... allowing someone other than the business owners/top brass owning the domain name.
Depending on the conditions of the domain name, the IT vendor might be the owners of the domain, and the company might not actually be able to force them to hand it over. I see lawyers in the client's future.
As for O365, that will probably be a bit easier, but it might have to wait until the disposition of the domain name is resolved.
Good luck.
Yeah definitely agree the company should always have the domain under their own account.
The office manager is new and when he first contacted the IT company they refused to give any information. The topic of the domain hasn't come up yet, but I assume they are not going to hand it over without issues.
-
@JaredBusch said in Old IT won't provide documentation or passwords:
@syko24 said in Old IT won't provide documentation or passwords:
So I am working with a new client and have reviewed what equipment they currently have in place. Couple items of concern are that the old IT company has not provided any information and refuse to hand over passwords. They have told the office manager of the company that it would be a security risk for them to have the passwords. My question is will a domain registrar allow the company to reset the password or is this going to have to go to the attorneys? Old IT also controls the Office365 account. All the internal equipment - servers, switches, and routers I can likely factory reset in order to regain access.
Providing information/documentation is not anything you can do about. But passwords? Go immediately to an attorney, and then to the police if the attorney says that nothing in the contract terms gave ownership to the prior support company.
Yeah I mean I don't know what the IT company's argument can be when holding onto another company's domain. Can they say they were leasing the domain to them?
-
@syko24 said in Old IT won't provide documentation or passwords:
Yeah I mean I don't know what the IT company's argument can be when holding onto another company's domain. Can they say they were leasing the domain to them?
Absolutely.
Same for O365.That is why I said check with legal first.
-
@syko24 said in Old IT won't provide documentation or passwords:
@Dashrender said in Old IT won't provide documentation or passwords:
Classic error as many have said around here before... allowing someone other than the business owners/top brass owning the domain name.
Depending on the conditions of the domain name, the IT vendor might be the owners of the domain, and the company might not actually be able to force them to hand it over. I see lawyers in the client's future.
As for O365, that will probably be a bit easier, but it might have to wait until the disposition of the domain name is resolved.
Good luck.
Yeah definitely agree the company should always have the domain under their own account.
The office manager is new and when he first contacted the IT company they refused to give any information. The topic of the domain hasn't come up yet, but I assume they are not going to hand it over without issues.
This is a tricky situation - We recently talked about it here. In one case the IT company could claim it was their domain and they were setting it for their customers use, but not ownership... I have no idea how that would turn out in a court battle, except to say bloody.
As for the passwords - now that they have to hand over, otherwise it's stolen property in some sense....
-
Smart companies will not only allow a client to transition to another company, they will actively aid the client. Maybe not free but for a reasonable fee.
But also because maybe the client tries something new and then decides it was better the way it was. Or perhaps in the future you end up with another client going in the opposite direction.
-
@Pete-S said in Old IT won't provide documentation or passwords:
Smart companies will not only allow a client to transition to another company, they will actively aid the client. Maybe not free but for a reasonable fee.
But also because maybe the client tries something new and then decides it was better the way it was. Or perhaps in the future you end up with another client going in the opposite direction.
We always remind our customers when asked that we would be happy to help them find someone new if they have a problem with us.
-
@syko24 said in Old IT won't provide documentation or passwords:
Yeah I mean I don't know what the IT company's argument can be when holding onto another company's domain. Can they say they were leasing the domain to them?
Often, an IT company will want to manage the domain name. They will say they need to transfer the domain to a new registrar so they can manage it efficiently, with all of the domains they manage. This is all fine, until this happens: In this process they will change the registrant to themselves.
Have the attorney pull a registrant history. It will likely show your client was the owner immediately prior to the IT company taking over. If this is the case, ask the old IT company produce the signed agreement transferring (selling) the domain to them. When they can't, you be able to demonstrate theft.
-
@syko24 said in Old IT won't provide documentation or passwords:
Couple items of concern are that the old IT company has not provided any information and refuse to hand over passwords. They have told the office manager of the company that it would be a security risk for them to have the passwords.
This is a legal issue. The old vendor is now considered a "hacked" under US law at least and this is malicious action. Don't do ANYTHING except get a lawyer involved. This is zero IT and 100% a legal matter.
-
@syko24 said in Old IT won't provide documentation or passwords:
My question is will a domain registrar allow the company to reset the password or is this going to have to go to the attorneys?
OMG, I talk to companies about this all of the time. ALL of the time. At least a few times a week. I have a video already recorded weeks ago just waiting for the editing to wrap up that talks about this.
There is zero, and I mean ZERO, excuse for any company ever allowing anyone except and owner/CEO/lawyer to have registrar passwords. Ever. Literally no excuse. Nothing anything says about lazy or stupid or clueless CEOs excuses such a basic failure to adult, let alone run a business. Handing over passwords to the registrar is akin to providing power of attorney over the identity of the company.
The problem here is, the old IT company can make the claim that they own the domain, not the customer. And the general proof for who owns it is handled by the holder of the passwords. Since the old IT company has the passwords and the customer does not, this could get messy if the old IT company has any clue and decided to be malicious.
Since there is absolutely zero reason for anyone technical to ever have had access to the passwords for this, it's going to make a court case that much harder. Try explaining to a judge that you truly own the domain when you don't have the passwords to your "digital real estate registration" but a third party does, a third party for whom there was no logical reason to have had those passwords unless they were the owners of the domain!
-
@syko24 said in Old IT won't provide documentation or passwords:
Old IT also controls the Office365 account.
This is different. Have your lawyer contact MS.
-
@syko24 said in Old IT won't provide documentation or passwords:
@JaredBusch said in Old IT won't provide documentation or passwords:
@syko24 said in Old IT won't provide documentation or passwords:
So I am working with a new client and have reviewed what equipment they currently have in place. Couple items of concern are that the old IT company has not provided any information and refuse to hand over passwords. They have told the office manager of the company that it would be a security risk for them to have the passwords. My question is will a domain registrar allow the company to reset the password or is this going to have to go to the attorneys? Old IT also controls the Office365 account. All the internal equipment - servers, switches, and routers I can likely factory reset in order to regain access.
Providing information/documentation is not anything you can do about. But passwords? Go immediately to an attorney, and then to the police if the attorney says that nothing in the contract terms gave ownership to the prior support company.
Yeah I mean I don't know what the IT company's argument can be when holding onto another company's domain. Can they say they were leasing the domain to them?
100% yes. And that they have the passwords suggests that logically, this was assumed. If it is under their own account, that even more suggests that they are the true owners.
Here's the real problem... can your company owners prove to YOU that they owned the domain? I bet not. You'd be hard pressed to convince any of us that the company owners owned a domain that's not held in their own account. If we are hard to convince, imagine how hard a court is going to be to convince to make them forcible seize something from the IT company that is 100% in that company's name and that they have been paying for. They won't do it. I wouldn't do it.
Chances are your company paid the IT company and the IT company paid the registrar (this is almost guaranteed.). In which case, they can show that the lease is implied. Unless you have a lawyer with some magic up their sleeves, all you can do is pray, beg, and hope.
-
@JaredBusch said in Old IT won't provide documentation or passwords:
@Pete-S said in Old IT won't provide documentation or passwords:
Smart companies will not only allow a client to transition to another company, they will actively aid the client. Maybe not free but for a reasonable fee.
But also because maybe the client tries something new and then decides it was better the way it was. Or perhaps in the future you end up with another client going in the opposite direction.
We always remind our customers when asked that we would be happy to help them find someone new if they have a problem with us.
I say things like "if we were every to go crazy and you had to fire us, you could call someone like Bundy Associates to take over the account in a matter of hours" a few times a week to customers.
-
@JasGot said in Old IT won't provide documentation or passwords:
Have the attorney pull a registrant history. It will likely show your client was the owner immediately prior to the IT company taking over. If this is the case, ask the old IT company produce the signed agreement transferring (selling) the domain to them. When they can't, you be able to demonstrate theft.
If the account is in the IT company's account, the transfer will be the written record. There is little to no way for them to have access to it (and the company to not to) without their being a really solid paper trail.
-
@Dashrender said in Old IT won't provide documentation or passwords:
This is a tricky situation - We recently talked about it here. In one case the IT company could claim it was their domain and they were setting it for their customers use, but not ownership... I have no idea how that would turn out in a court battle, except to say bloody.
I doubt that a court would even hear it. Unless there is a written paper trail making them contractually accountable, the OP's company wouldn't even have enough to take them to court.
Imagine if I just claimed that any random's person's domain was mine and when asked to prove it I said "I have nothing, just take my word for it."
Like... McDonalds.com. Hey courts, I own this domain. McDonald's is just holding it for me. Make them give it back.
The OP's company is in a similar boat most likely. They've paid the IT company from time to time. I've paid McDonald's from time to time. Buying IT services or French fries from a company doesn't suggest that I have any claims to IP that they own.
-
@scottalanmiller said in Old IT won't provide documentation or passwords:
@Dashrender said in Old IT won't provide documentation or passwords:
This is a tricky situation - We recently talked about it here. In one case the IT company could claim it was their domain and they were setting it for their customers use, but not ownership... I have no idea how that would turn out in a court battle, except to say bloody.
I doubt that a court would even hear it. Unless there is a written paper trail making them contractually accountable, the OP's company wouldn't even have enough to take them to court.
Imagine if I just claimed that any random's person's domain was mine and when asked to prove it I said "I have nothing, just take my word for it."
Like... McDonalds.com. Hey courts, I own this domain. McDonald's is just holding it for me. Make them give it back.
The OP's company is in a similar boat most likely. They've paid the IT company from time to time. I've paid McDonald's from time to time. Buying IT services or French fries from a company doesn't suggest that I have any claims to IP that they own.
While in general I don't disagree with Scott here - I do say have more than just some random name being held by the IT company. In this case we assume the name is closely associated with the OPs identity. So the case could be made. Also, if it can be shown the IT vendor didn't buy the name until the OP became a client, at minimum it shows the situation only exists because the OP became a client - though this doesn't really help in the lease versus bought on my behalf situation.
Definitely in for a huge set of problems here if the IT company wants to stick it to them. -
I think a large portion of the 'lease' question comes up to what the contract that the customer and old IT vendor signed.
Call the attorneys and have them sort it out.
There's nothing you can do about it, based on this topic the old vendor is going to be a PITA.
-
I agree on this being a legal issue. I mean if I assist them in getting access to the domain and it turns out that they technically don't own it, then I am opening myself up to liability.
At this point my only option to support their hardware is to modify the root password on their VMWare server and then modify the domain admin password assuming there is no encryption in place. I would much rather the client contact their attorney and have the old IT hand everything over.
-
@syko24 said in Old IT won't provide documentation or passwords:
I agree on this being a legal issue. I mean if I assist them in getting access to the domain and it turns out that they technically don't own it, then I am opening myself up to liability.
Well, only if you break the law. How can you aid them other than begging the previous provider to turn it over? If you try to crack the password or go over there with a baseball bat, yeah, you'd get in trouble for those things.
-
@syko24 said in Old IT won't provide documentation or passwords:
At this point my only option to support their hardware is to modify the root password on their VMWare server and then modify the domain admin password assuming there is no encryption in place. I would much rather the client contact their attorney and have the old IT hand everything over.
Pretty much, yeah, if they aren't willing to take the proper business steps, all you can do is mitigate.