NCIX may have suffered a serious data breech
Bankrupt Canadian tech retailer NCIX has apparently suffered a major data breech that could impact millions of customers and employees going back 15 years.
After the company shut down, it’s alleged their servers were being sold to third parties without first being wiped. Thus potentially exposing sensitive corporate data to anyone who happened to buy them.
Travis Doering of cyber security firm Privacy Fly says he was able to examine these servers at a reseller, who claimed he had acquired them from a Vancouver based auction.
The seller claimed to have acquired both from Vancouver based Able Auction’s. I would later find out that was a lie, crafted to conceal their true origin. I emailed the seller and plainly stated, “I am interested in the server, does it have data in the database or is it a fresh install? I am primarily interested in the data.” To which I received no reply. August 21st, 2018. Twenty days had passed since my inquiry when I received the following response, “sorry for replying late, it has the data. it’s unerased server contents.” The seller proceeds to inform me that he has three NCIX servers for sale for which he has the passwords required to login.
Doering met with the seller at a warehouse in Richmond BC, who then gave him a couple NCIX servers as well as the passwords. With hardware in hand Doering says he sat down and started reviewing the contents.
Located on the servers was a whole host of confidential data including employee T4 tax forms and social insurance numbers, as well a customer billing database including names, addresses, and phone numbers. Allegedly, none of the data was encrypted. The seller claimed he was able to crack their ISCSI servers in about five minutes with very simple tools, and described their security as “really, really, bad”.
Obviously this is pretty serious if true, and we have no reason to believe otherwise. Not only because of the lost data, but the sheer callousness of a major IT retailer when it came to data security. Unlike other breeches we’ve seen in the past, this is not some organized hacking ring. Just a random guy in a warehouse with some basic tools and spare time on his lunch break.
At the time of writing, there is no evidence to suggest that any of this data has been used for nefarious purposes. Though former customers and employees may want to keep a close eye on their financial statements.
