Thursday, September 20th 2018

NCIX Database Servers Containing Unencrypted User Data Cause Yet Another Data Breach

As if the Newegg data breach reported yesterday was not enough, NCIX decided to haunt everyone from the grave when news of a much larger data breach came out today. Readers of our website may have been aware that NCIX declared bankruptcy last December, and all their assets were put up for sale as part of a multi-day auction by the Able Auctions firm earlier this year. Most of the items on sale were innocuous, including remaining PC DIY components and office supplies, but an investigation coming out of Privacy Fly, a cyber security firm from Canada, is showing that something much more sinister ended up in the hands of people who also knew what they were doing. In particular, an unidentified male who called himself "Jeff", acting either independently or on behalf of another company, had procured the entire NCIX server farm at the auction and then sorted through the data to determine what was "useful" and what was not.

By this, he was referring to unencrypted and/or easily-cracked user data stored on the servers that NCIX had not bothered to remove or put behind a stronger password as the contents were laid bare for Privacy Fly to examine after the server was unlocked. These servers were put up for sale for $1500 (CAD) on Craigslist of all places, in a bold move effectively selling user data by the tens of thousands. "Jeff" confirmed he was in possession of hundreds of desktops, hard drives and more servers which, along with the StarWind iSCSI Software that was included in the auction and used by NCIX for all their years of existence meant every single customer and former employee was exposed by the breach. To be more specific, we are talking about financial records including payroll information, residence and email addresses, payment information and even Canadian SIN numbers all available to be seen and purchased by the lot. Be it the fault of NCIX or Able Auction, knowing that unencrypted data servers were sold without being wiped is terrifying, and we recommend taking appropriate actions as deemed for your country of residence.
Source: Privacy Fly
Add your own comment

19 Comments on NCIX Database Servers Containing Unencrypted User Data Cause Yet Another Data Breach

#1
Durvelle27
I’ve never seen so many security breaches in my life in just a years time
Posted on Reply
#2
R-T-B
Durvelle27, post: 3907881, member: 107186"
I’ve never seen so many security breaches in my life in just a years time
Thing is, this isn't a breach. This is stupidity. They literally sold the unencrypted servers on the open market without wiping them.
Posted on Reply
#3
DeathtoGnomes
Thats were Linus (LTT) started out, bet he is laughing right about now.
Posted on Reply
#4
Fleurious
DeathtoGnomes, post: 3907894, member: 151150"
Thats were Linus (LTT) started out, bet he is laughing right about now.
I dunno, as an ex employee they probably have his social insurance number on there somewhere.
Posted on Reply
#5
Cruise51
Frankly... This is criminal negligence.
Posted on Reply
#6
hat
Enthusiast
Dude... wat. I can't help but wonder if this was intentional somehow, nobody just gives away data like that.
Posted on Reply
#7
Caring1
hat, post: 3907918, member: 32804"
Dude... wat. I can't help but wonder if this was intentional somehow, nobody just gives away data like that.
The Administrators in charge of asset sales only care about cents in the dollar returns, not security.
Legally they should be liable if anything criminal results from this.
Posted on Reply
#8
newtekie1
Semi-Retired Folder
Caring1, post: 3907919, member: 153156"
The Administrators in charge of asset sales only care about cents in the dollar returns, not security.
Legally they should be liable if anything criminal results from this.
After reading another article on what happened, it seems that NCIX was renting a warehouse to store all this stuff. But they didn't pay their rent, so the landlord sold it all without bothering to wipe it.

I don't think the landlord was legally obligated to wipe data. Maybe morally though.

What bothers me was all this data was stored unencrypted! That's just dumb.
Posted on Reply
#9
R0H1T
Some of the files though, what's Ron Weasly up to :roll:
Posted on Reply
#10
remixedcat
DeathtoGnomes, post: 3907894, member: 151150"
Thats were Linus (LTT) started out, bet he is laughing right about now.
LMG server was hosed too while'back. Seems to follow him.
Posted on Reply
#11
Indra18
I think this is shame for whole country like canada and byznis firms there.... just magine how many VPN services and seed boxes are running in canada now and all your data is in danger becouse ,,look on this case and try imagine..
if this happen in usa propaganda will use -russia hackers russia russia )))
Booth countries (usa and canada) is now third world!
just watch charlieboo313 youtube channel..
Posted on Reply
#12
Deathy
newtekie1, post: 3907944, member: 20670"
After reading another article on what happened, it seems that NCIX was renting a warehouse to store all this stuff. But they didn't pay their rent, so the landlord sold it all without bothering to wipe it.

I don't think the landlord was legally obligated to wipe data. Maybe morally though.

What bothers me was all this data was stored unencrypted! That's just dumb.
A quote from the linked article: "[Jeff] was helping NCIX’s landlord recover the money he was owed in exchange for being able to copy the source code, and database to aid his development team on a projec." That certainly doesn't sound legal and the owner of the warehouse had knowledge of it and seemed okay with it. And in Germany, you have to go through an arduous process when you want to remove a tenant owing you rent and being allowed to sell off their stuff to cover your cost has even higher legal restrictions. Selling something with personal data on it is pretty much illegal in any case and can incur fines of several tens to hundreds of thousands of Euros. I doubt it is much different in Canada. Even companies that went bankrupt have certain obligations still, like keeping records save and available for anywhere between 5 to 10 years and the people handling the bankruptcy can be held legally accountable.
Posted on Reply
#13
remixedcat
This also will screw over NCIX bc nobody will do biz with them. If you can't bother with rent how are you going to do other things?
Posted on Reply
#14
DeathtoGnomes
remixedcat, post: 3908714, member: 84450"
This also will screw over NCIX bc nobody will do biz with them. If you can't bother with rent how are you going to do other things?
NCIX went out of business 2016 i think.
Posted on Reply
#15
remixedcat
O. Haven't really kept up with that. Lol
Posted on Reply
#16
The Jedi
That is an incredible story.

Their e-commerce platform software they developed would probably have a development cost well in the tens of thousands of dollars, maybe as high as a hundred grand. Think, they would've had barcode integration and tying in with accounting. That would've had some value to the right buyer. With their web servers and source code, any talk of anything having been encrypted goes out the window.

I guess industries mature and they consolidate with fewer players, and NewEgg and Amazon have upped the burden of competing in e-commerce.
Posted on Reply
#19
StrayKAT
Durvelle27, post: 3907881, member: 107186"
I’ve never seen so many security breaches in my life in just a years time
I'm not even sure this qualifies as the usual. It's just plain stupidity.
Posted on Reply
Add your own comment