Millions of Canadian and American Consumers at Risk
Canadian retailer NCIX filed for bankruptcy and closed 10 months ago. They were the premiere PC hardware retail store in Canada and even did a sizable business on the other side of the border. However, as Travis Doering of Privacy Fly found out, the company did not go quietly away without doing some damage to their customer’s security first.
Doering recounts meeting up with a Craigslist seller claiming to have NCIX’ Database servers for only $1500 CAD. This includes a Database Server from NCIX and a Database Reporting Server, allegedly legally obtained via Able Auctions. Prior to NCIX shutting down, their assets were sold off through this company.
Unwiped and Unencrypted
What is surprising however, is that after some probing, the seller divulged that the data on these servers were actually unwiped, and that he actually had three servers in his possession. Doering did his due diligence and followed up to verify. And sure enough, what he found was quite shocking.
Not only did the seller posses three unwiped servers from NCIX, he also had around “300 desktop computers from NCIX’s corporate offices and retails stores”. In fact, the seller turned out to have “18 DELL Poweredge servers, as well as at least two Supermicro server’s running StarWind iSCSI Software that NCIX had used to back up their hard disks.”
In addition, there where also the 109 hard drives which had been removed from servers before auction and one large pallet of 400-500 used hard drives from various manufacturers. Suggesting that he had direct access to these and not through the auction as the seller initially suggested.
What Are on These Computers?
From what Doering saw, the computers contained various papers and documents. Some of which even belonged personally to NCIX founder Steve Wu. According to Doering, he found “data going back 13 years, financial documents, employment letters containing SIN numbers”. This even featured personal documents and images of Mr. Wu’s family mixed in with numerous private photos of high end escorts from mainland china.
One drive also contained a treasure trove of confidential data. This includes credentials, invoices, photographs of customers ID’s, Bills, and an employee’s T4 (Tax form) among other files.
Worst of all however, is that he also stumbled into unencrypted tables containing consumer information. This has their addresses, names, contact information and all necessary information to steal their identity. This not only includes NCIX customers from Canada, but from the US as well.
The database also contained full credit card payment details in plain text for 258,000 users.
For a more detailed recounting of this security issue, follow this link to Privacy Fly’s NCIX data breach blog entry.
Please fix your headline/article. The servers were not acquired via able auctions. The original article clearly states this was just a false cover story.
+1. Not to mention the fact that Steve Wu was a well versed network engineer and would have known that he and/or his company were lazy with their encryption and practices. Companies go bankrupt for a reason lol
I find it interesting that no one has discussed the possibility that the Trustee that managed the bankruptcy did not automatically take on the responsibility to ensure that the data was destroyed upon dissolving the entity. In other words they should be liable for any and all damages for failure to ensure that this data was destroyed properly. Alternatively, if the landlord took possession of the equipment for the purpose of selling to offset its losses. While I believe they have the right to sell the equipment. The sale of the data itself is both criminal and unethical. Again, I would suggest that they as well should be liable for damages.
f the equipment for the purpose of selling to offset its losses. While I believe they have the right to sell the equipment. The sale of the data itself is both criminal and unethical.
i have one question. why didn’t Travis Doering report this guy to the police or do anything. they met on a few occasions? what is the point of writing or telling people about this after the fact that everything was already sold. so basically by not reporting anything, doering let this happen. also they know who the landlord is and the guy who sold the information. please start the arresting of these criminals.