They lied about how they protect what they take.
Security claims contradicted by observed practices. The vendor claims AES-256 encryption and strict access controls, but their scripts transmit data over unencrypted channels, use weak hashing, or expose identifiers in URL parameters visible in server logs.
How This Escalates BTI-C Findings
Escalates exfiltration findings (C03, C16) into security negligence. If data is being exfiltrated AND the transmission is insecure, the vendor is not just taking — they're broadcasting.
Related Advisories
No published advisories reference this code yet.
Investigations are ongoing.
Blackout uses security frameworks to protect AGAINST vendors, not FOR them. We do not notify vendors. We do not provide remediation windows. If you're using a vendor flagged by this code, the advisory is your evidence.
Permanent URL: deployblackout.com/bti/codes/X09