Canadian retailer NCIX filed for bankruptcy and closed 10 months ago. They were the premiere PC hardware retail store in Canada and even did a sizable business on the other side of the border. However, as Travis Doering of Privacy Fly found out, the company did not go quietly away without doing some damage to their customer’s security first.
Doering recounts meeting up with a Craigslist seller claiming to have NCIX’ Database servers for only $1500 CAD. This includes a Database Server from NCIX and a Database Reporting Server, allegedly legally obtained via Able Auctions. Prior to NCIX shutting down, their assets were sold off through this company.
What is surprising however, is that after some probing, the seller divulged that the data on these servers were actually unwiped, and that he actually had three servers in his possession. Doering did his due diligence and followed up to verify. And sure enough, what he found was quite shocking.
Not only did the seller posses three unwiped servers from NCIX, he also had around “300 desktop computers from NCIX’s corporate offices and retails stores”. In fact, the seller turned out to have “18 DELL Poweredge servers, as well as at least two Supermicro server’s running StarWind iSCSI Software that NCIX had used to back up their hard disks.”
In addition, there where also the 109 hard drives which had been removed from servers before auction and one large pallet of 400-500 used hard drives from various manufacturers. Suggesting that he had direct access to these and not through the auction as the seller initially suggested.
From what Doering saw, the computers contained various papers and documents. Some of which even belonged personally to NCIX founder Steve Wu. According to Doering, he found “data going back 13 years, financial documents, employment letters containing SIN numbers”. This even featured personal documents and images of Mr. Wu’s family mixed in with numerous private photos of high end escorts from mainland china.
One drive also contained a treasure trove of confidential data. This includes credentials, invoices, photographs of customers ID’s, Bills, and an employee’s T4 (Tax form) among other files.
Worst of all however, is that he also stumbled into unencrypted tables containing consumer information. This has their addresses, names, contact information and all necessary information to steal their identity. This not only includes NCIX customers from Canada, but from the US as well.
The database also contained full credit card payment details in plain text for 258,000 users.
For a more detailed recounting of this security issue, follow this link to Privacy Fly’s NCIX data breach blog entry.