News

NCIX Database Servers Sold at Craigslist Without Being Wiped

Millions of Canadian and American Consumers at Risk

Canadian retailer NCIX filed for bankruptcy and closed 10 months ago. They were the premiere PC hardware retail store in Canada and even did a sizable business on the other side of the border. However, as Travis Doering of Privacy Fly found out, the company did not go quietly away without doing some damage to their customer’s security first.

Doering recounts meeting up with a Craigslist seller claiming to have NCIX’ Database servers for only $1500 CAD. This includes a Database Server from NCIX and a Database Reporting Server, allegedly legally obtained via Able Auctions. Prior to NCIX shutting down, their assets were sold off through this company.

Unwiped and Unencrypted

What is surprising however, is that after some probing, the seller divulged that the data on these servers were actually unwiped, and that he actually had three servers in his possession. Doering did his due diligence and followed up to verify. And sure enough, what he found was quite shocking.

Not only did the seller posses three unwiped servers from NCIX, he also had around “300 desktop computers from NCIX’s corporate offices and retails stores”. In fact, the seller turned out to have “18 DELL Poweredge servers, as well as at least two Supermicro server’s running StarWind iSCSI Software that NCIX had used to back up their hard disks.”

In addition, there where also the 109 hard drives which had been removed from servers before auction and one large pallet of 400-500 used hard drives from various manufacturers. Suggesting that he had direct access to these and not through the auction as the seller initially suggested.

What Are on These Computers?

From what Doering saw, the computers contained various papers and documents. Some of which even belonged personally to NCIX founder Steve Wu. According to Doering, he found “data going back 13 years, financial documents, employment letters containing SIN numbers”.  This even featured personal documents and images of Mr. Wu’s family mixed in with numerous private photos of high end escorts from mainland china.

One drive also contained a treasure trove of confidential data. This includes credentials, invoices, photographs of customers ID’s, Bills, and an employee’s T4 (Tax form) among other files.

Worst of all however, is that he also stumbled into unencrypted tables containing consumer information. This has their addresses, names, contact information and all necessary information to steal their identity. This not only includes NCIX customers from Canada, but from the US as well.

The database also contained full credit card payment details in plain text for 258,000 users.

For a more detailed recounting of this security issue, follow this link to Privacy Fly’s NCIX data breach blog entry.

Ron Perillo

Disqus Comments Loading...

Recent Posts

Electronic Arts Titles Played for Over 11 Billion Hours in 2024

Electronic Arts (EA) announced today that its games were played for over 11 billion hours…

2 days ago

Just 15% of Steam Gaming Time in 2024 Was Spent on New Releases

Steam's annual end-of-year recap, Steam Replay, provides fascinating insights into gamer habits by comparing individual…

2 days ago

STALKER 2 Gets Massive 110GB Patch With 1800+ Fixes

GSC GameWorld released a major title update for STALKER 2 this seeking, bringing the game…

2 days ago

Intel Unveils Core 200H Processors Based on the Previous Raptor Lake Refresh

Without any formal announcement, Intel appears to have revealed its new Core 200H series processors…

3 days ago

Ubisoft Reportedly Developing a New Quadruple A Game

Ubisoft is not having the best of times, but despite recent flops, the company still…

3 days ago

STALKER 2: Heart of Chornobyl Update 1.1 Fixes 1,800 Issues and Revamps A-Life 2.0

If you haven’t started playing STALKER 2: Heart of Chornobyl yet, now might be the…

3 days ago