The data of NCIX, one of Canada’s biggest PC hardware retailers on servers was put up for sale on Craigslist. The data which is believed to be around 15 years old includes the details of the customers and the employees. The retailer NCIX was closed in December 2017 after filing for bankruptcy.
This data breach seems to take place after the shops, retired old servers and employee workstations were closed. It is not known how the servers were advertised on Craigslist.
Travis Doering of Privacy Fly have found the ad for two servers in August. Doering met with the seller who was an Asian man from Richmond, British Columbia, who introduced himself under the name of “Jeff.”
Doering said that he was interested in acquiring data stored on the servers which were kept for sale at a price of CAD$1,500 (USD$1,150) each.
After meeting with Jeff several time, Doering said that he found the seller had access to even more NCIX servers and workstations other than those which were initially advertised on Craigslist.
Jeff claimed that he gained access to NCIX’s former hardware after the company failed to pay a CAD$150,000 (USD$115,000) bill for warehouse storage space and that he was helping the warehouse owner sell the equipment. These details however could not be verified from any source.
According to Doering, Jeff had access to around 300 desktop computers from NCIX’s corporate offices and retails stores, 18 DELL Poweredge servers, and at least two Supermicro server’s running StarWind iSCSI Software that NCIX had used to back up their hard disks.
Jeff permitted Doering to access the 109 hard drives which had been removed from servers before auction and one large pallet of 400-500 used hard drives from different manufacturers.
During the meetings Doering were able to access various backup images and hard drives and he says that he found personal data such as credentials, invoices, photographs of customers IDs, bills, customer names, addresses, email addresses, phone numbers, IP addresses, and unsalted MD5 hashed passwords and much more.
A database table containing 258,000 payment card details, stored in plaintext and another table containing 3,848,000 customer orders were also found. He was able to access a backup image for the computer of Steve Wu, NCIX’s founder.
Normally when a company is shut down, they erase the servers to prevent unauthorized access to their old data. While creating backups they usually encrypt their data. But Doering said data stored on all this equipment was not encrypted.
Doering on further negotiations with Jeff found that he was willing to allow him to copy all the NCIX customer data from all server hard drives without buying the hardware. Jeff also confirmed that at least one other person already bought some of the old NCIX user data.
However, the reports of Doering seems to be unbelievable as such a large company like NCIX wouldn’t encrypt user data or wipe servers before decommissioning its hardware. Doering said that he is still reviewing the NCIX data which he was able to access and he is planning to update his original report with a more accurate count of user data.