[Update: after publication of this article, the Mathew Judge website has been taken down.]

Recent court filings in US Federal court have unmasked the identity of the pseudonymous “IT expert” who launched the debunked theory that “Oxebridge hacked its own website” as UK-based ISO consultant Mathew Judge. The defamatory claim has gained new steam as it’s now being spread by ASQ representatives in retaliation for reporting done by Oxebridge.

As deconstructed here, Judge claimed Oxebridge hacked its own website, citing as evidence the metadata of an image he pulled from the Oxebridge site. The image he analyzed was not those created by the hacker, but a screenshot taken later by Oxebridge as evidence of the hack. While Judge claimed the metadata “proved” Oxebridge hacked its own site, he immediately backed off that claim, saying, “prove may be too strong a word.”

Mathew Judge’s LinkedIn profile, which was filed with the court apparently without his knowledge, claims that he has been an ISO consultant since 2006; prior to that, Judge had only a few years of working for actual companies, doing 3 years of “project management consulting” for a company called Project Ordnance, also owned by Judge. Judge has no verifiable IT security experience, nor does he claim to be an IT expert, yet he was referenced in the court filings as “a real, qualified internet security specialist.”

Despite claiming to have operated his consulting firm since 2006, official UK business records show “Mathew Judge Ltd.” was only formed in 2015. In fact, Judge seems to have “appeared” in the ISO consulting space only in 2015, and there’s no online presence for him in the industry prior to that. A search for “Mathew Judge ISO” in Google, filtered for results from 2006 to 2014 results in no hits. Even his own list of clients, shown on LinkedIn, only reveal work done since 2015.

Judge’s motives in defaming Oxebridge may be that he sees himself as a competitor in the ISO consulting space. Judge’s list of clients include one company in Oxebridge’s home state of Florida, Global Semisolutions. The reference appears fabricated, however, as the former CEO of the company indicated he’d never heard of Judge, and that the company closed in 2014. The company’s closure is supported by official Florida State corporate filings. Judge, meanwhile, claims to have implemented AS9100 for Global in 2017, and claims to still be working with them. There is no other company in Florida registered under that name.

Judge also markets his ISO implementation program in a similar fashion as Oxebridge. Whereas Oxebridge offers a “Rapid 40-Day ISO 9001 Implementation Program,” Judge claims to have a “30-Day” program.

Judge’s expertise in IT is also dubious, given problems with his two consulting websites. The first site, www.mathewjudge.com, resolves to an iPage hosting alert that reads “This site is temporarily unavailable.” The message is typical if a hosting customer has failed to pay their bill, or has failed to redirect web traffic from an old host provider to a newer one.

Judge’s second website, located at www.mathewjudge.co.uk is also not finished despite having launched in 2015, and includes template “lorem ipsum” filler text on the pages:

Making matters worse, Judge’s website appears to be comprised almost entirely of material plagiarized from multiple other sources, including ISO registrars, competing consultants and at least one US author. His entire page describing ISO 9001 includes text which also appears on the website for the accredited certification body ACS Registrars:

Judge’s page on “Consultancy” contains the exact text appearing on a 2013 website for the consulting firm ISOAssured UK.Judge’s page on CHAS accreditation appears to have been taken from the website of the consulting firm Seguro, and even includes the phone number for Seguro, rather than that of Judge. Even the number of clients Judge claims to have (“500 applications every year“) was plagiarized from the Seguro site.

Judge’s page on ISO 45001 appears to have been taken from the ISO registrar BSI.

Likewise, Judge’s page on AS9100 comes from BSI:Judge’s page on ISO 27002 utilizes a passage from the book Computer Security by the author Robert C. Newman:Representatives from ACS Registrars and BSI, as well as the stock photo distributor Shutterstock, have reported they are investigating the Judge websites for copyright violations.

Judge’s website also makes the unlikely claim that he’s implemented “over 1,000 quality management systems worldwide to date.” His LinkedIn profile lists about 20 clients, while the website lists none at all. He also indicates he “guarantees” certification, typically a red flag since certification can only be guaranteed when an improper relationship is operating behind the scenes between the consultant and registrar.

Judge appears to be the only employee within his firm. If so, and assuming his 30-day implementation period was used for each client, Judge would have to have worked over 80 years to have implemented quality systems in 1,000 companies. If, as UK records show, Judge’s company has only been in existence for two years, then he would have had to have implemented at least a full quality management system every 24 hours, without a single day of rest, to reach over 1,000 clients.

Oxebridge spoke with one former client of Judge, who confirmed he existed, but did admit that Judge did the entire implementation work remotely, and showed up in person only “on the day of the audit.” That client admitted that the implementation took about a full year, and not “30 days.”

Judge did not respond to multiple attempts to contact him to clarify points in this report. While his LinkedIn account was accessible as of February 8th, as of this writing Judge blocked Oxebridge from accessing his profile.

UPDATE: As of February 10, the site at www.mathewjudge.co.uk now reports as “undergoing maintenance.”