WHMCS shared our financial transaction information with an unauthorized third party

[agentblack]

Since we can't seem to get any response from WHMCS via a support ticket, their legal department, Web Hosting Talk, or on Twitter, going to post this here for all to be aware of.

On August 23rd, 2023, we were contacted by an unknown to us third party that reported WHMCS in responding to their BBB complaint,  shared a screenshot of a financial transaction that took place between us and WHMCS. This information was not authorized to be disclosed and the information was not for public consumption.  The reporting party provided additional information, including the response from the BBB that included WHMCS's response to provide additional authenticity to the report.  The transaction numbers listed in the screenshot that WHMCS sent to the BBB to respond to the unknown person's complaint matches a transaction that occurred between WHMCS and us in 2021 shortly after they terminated our owned license to the software.

To date, WHMCS has not acknowledged they released our information to this third party, they have not responded to repeated attempts at contact, and other than a generic "we have forwarded this to a manager" response to a support ticket, they have not made any attempts at any meaningful contact.

WHMCS was not and is never authorized to release financial transaction data involving our company and this is just another serious transgression against their customer base.  WHMCS should not be trusted in any form or manner, with any company's sensitive financial records especially if they can't keep your data private.  At the time of this writing, we have filed notices with the Texas Attorney General, Virginia Attorney General, BBB of Texas, IC3, and the Federal Trade Commission.  If a meaningful response is not afforded by WHMCS in thirty days from first contact regarding this issue, additional complaints will be lodged with European and United Kingdom regulators to make them aware of improper customer data handling by a company with a headquarters office in their jurisdiction.

Beware of WHMCS and monitor your sensitive information closely even when you're no longer a customer!

[lulzkiller]

Please elaborate. 

Did they release a transaction that happened between you and whmcs, aka you paid for a whmcs service of some sort. OR did they release private information from inside your WHMCS install, between a customer and you ?

[bear]

4 hours ago, lulzkiller said:

Did they release a transaction that happened between you and whmcs

I'd say yes.

Quote

...shared a screenshot of a financial transaction that took place between us and WHMCS

 

[lulzkiller]

10 hours ago, bear said:

I'd say yes.

 

I was thinking this also, but had to be completly certain. If they leaked confidential client information from inside our whmcs installs, that would be extremely bad. 

[agentblack]

They released the transaction ID, amount, etc. for a transaction between us and WHMCS to this unknown third party via the third party's complaint to the BBB from over two years ago. They were replying to that person's complaint, but gave away our financial transaction information to that customer.  We have STILL not heard anything from WHMCS, not even an acknowledgement that they are looking into it.

Since they have not responded, we have alerted the Attorney General's for Texas and Virginia to the breach of customer data and privacy violations.  Maybe one of them could prod them into responding.

If they can release a financial transaction between a customer and them, what else are they "accidentally" going to release?

[agentblack]

Update: in response to the ticket that was submitted to these people, they "Escalated" the ticket right to a closed status without providing any answers. Ticket has been reopened.

 

What is WHMCS hiding? Why are they refusing to discuss this breach of our privacy?  Is there an undisclosed breach into their systems? Why are they not communicating to us?

[DennisHermannsen]

What exactly was shared with the third party? Was it anything else besides the transaction ID and amount (like company details)?
I don't even know what a BBB is, so if anyone is willing to dumb everything down for me, it would be much appreciated! 😊

[SimpleSonic]

Who was the 3rd-party and why would your transaction information be involved with the BBB case of a 3rd-party?

I'm guessing your transaction information was included in a screenshot they provided to the BBB for a case unrelated to you? If so, the question is, was it accidental or negligence?

[WHMCS Rex]

We can't have discussion of legal issues here, so this thread is locked.