Diamond Prize Center internal documents not secure ...

[James Malberry <jamesny10028 () hotmail com>]

Here's an actual tele marketing script to get you to goto a timeshare presentation. I do not work for diamond prize, 
nor a former employee. I am a tax accountant that has a background in Information Technology. Their Company site, 
www.diamondprizecenter.com a single webpage that is password protected.  I did not hack this website, google crawled on 
their site (and all sites) and cached one of their training pages which I have reproduced below.If this email does make 
it back to DPC, I suggest the following:
 
1) Rewrite your script(s), without brainer.
2) I highly suggest that you remove sarcastic comments
3) In the beginning of the script, you should state your *purpose* of the call
4) Also suggested is to ask the prospect if they entered for a car in the last 90days
 
Buried in the script is an admission that 1 in 4 people actually stay during the whole 90min presentation. Whoever is 
left, gets a scratch off to see who gets what prize. I would post plain and clear on your website as to how your 
contest is "State registered for the last 22 years".  Such a claim could border on fraud, and this email is already in 
the hands of state's attorney generals, and Department of Consumer Affairs.
The site also features 'recruitment pages' in order for current agents to earn referral bonus. These pages are under 
the main DPC domain name. typical format is: www.diamondprizecenter.com/(recruiter's nickname).
 
If you *are* Damien Tackett, founder of Tackett, LLC, you have not done the due diligence required to maintain your 
company’s security. You may decide to keep your single password box to internal documents; however, you should not have 
your documents in clear text after that. I would zip them, encrypt them, rotate the passwords based on training cycle.
 
Or you do what larger corporations do: Install a DMZ on your network, and put up a password box there, so an agent can 
authenticate through the DMZ and onto the internal network where your internal training documents SHOULD be. 
Considering how everything is on one server, online, I presume that all your DPC listings are there as well, and if 
your DPC list is complete without regard to any security, those W9s that you require agents to fill in can be stolen.
 
It would take an actual hacker and disregard for the law to steal corporate data. I am a white hat system's analyst. I 
publically point out problems concerning companies' IT procedures.
 
Through your homepage on your public domain, there is an admission by DPC that someone is posing as DPC and is engaged 
in a fake check scam. Whether your victim or perpetrator, the general public must be aware that they could get a fake 
check from DPC urging the consumer to cash it.  Granted, on your page, you are talking to federal authorities on the 
matter and have warned consumers about the fake check scam, again, your due diligence is not completely fulfilled.  
Have you actually contacted all the consumers that your company sent to those QA's [qualified appointments] in the 
first place? Im not talking email here, Im talking about actual hard-copy letters stating that DPC was targeted in a 
fake check scam.
 
When I experienced a data loss of income tax records, I immediately sent all clients a hardcopy letter describing the 
data loss, and information about identity theft, and contact information for the three credit bearu’s with their 800 
lines advising clients to put themselves on a fraud watch list for six months. That, sir, is due diligence.
 
If and when things at DPC get back to normal, you also need to perform due diligence on fully disclosing the 1099 
status for agents. Sure, you mention that its work at home, and 1099, meaning self employed, but its buried on the 
site.  You must use everyday language as to what the tax implications of becoming a 1099 contractor actually is. Your 
spamming of Christian message boards illustrates this point.
 
A word about taxes and your script. DPC agents frequently talk about that there's no single men because they didn't pay 
their taxes on the car they won. As a company, your diligence is giving the contest winning a W9 to fill in that 
discloses his or her social security number.  Your responsibility is limited to reporting the income earnings to the 
IRS. The IRS is responsible for tax collection, not you, not DPC, nor any of your agents.  If the taxpayer does not 
report their income properly, the IRS will add penalties and interest in hopes of collecting taxes due. That is out of 
your hands.
 
I hope you take this letter seriously, and constructively. My intent was not to harm DPC, nor you personally, Mr. 
Tackett. I don't mind tele marketing companies for doing legitimate business. Where the problem lies is that agents are 
leaving messages saying to the consumer that they won a prize, and call us back. That antic is illegal.  Instruct your 
agents of such fact, and continue to use your word, "finalist".
 == BEGIN telemarketing script ==
< ... snip ... >
_________________________________________________________________
Stay up to date on your PC, the Web, and your mobile phone with Windows Live.
http://clk.atdmt.com/MRT/go/msnnkwxp1020093185mrt/direct/01/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/