VANCOUVER — Police in Richmond are investigating allegations that database servers containing sensitive and unencrypted customer data from the bankrupt tech retailer NCIX are being sold online.
An investigation was opened Thursday and the database servers in question have been seized, Richmond RCMP said in a statement.
Vancouver-based tech retailer NCIX filed for bankruptcy late last year, closing more than a dozen stores and auctioning off most of its remaining goods, including hardware and software.
According to an article posted online by Vancouver cybersecurity expert Travis Doering, NCIX compromised security for hundreds of thousands of customers, whose private data — including IP, home and email addresses, passwords, credit card information and social insurance numbers — was being sold to the highest bidder on Craigslist.
In an article written for Privacy Fly, described as a boutique cyber-security firm based in Vancouver, Doering said a Craigslist post advertising NCIX database servers led him to a Richmond warehouse, where he discovered that the full records of the now-defunct company, dating as far back as 15 years, were readily available for purchase.
Doering said the servers, which the seller claimed had been purchased through Able Auctions, were never wiped. As a result, prospective buyers were invited to either buy the servers and all the data with them, or simply copy the data to their own hard drives for a five-figure fee.
Doering said many of these records were completely unencrypted, and those that had some measure of security were easily cracked — a fact the seller even boasted about.
The seller, who identified himself as Jeff, bragged that he could “crack their ISCSI server with very simple tools in five minutes,” and called the security “really, really, bad,” according to Doering.
“The data I have seen today contained some [of] the most damaging and extensive records I have ever come across covering at least seventeen years of business transitions,” Doering wrote. “Data breaches by external actors are common in today’s digital world but what makes this set of data so damaging is that it contains every record NCIX ever held.”
By failing to secure their customer data upon bankruptcy, Doering explained, NCIX potentially allowed millions of confidential records to be sold anonymously and without any oversight.
If all this is true, millions of North American consumers are at risk of identity theft and fraud as a result, even after RCMP seizure of the hardware.
“The data can easily be used to cash out credit cards, craft convincing phishing messages containing details on purchases and commit identity theft,” he wrote.
