security NCIX data breach

[Sszecret Veteran]

Quote

The nciwww file contained 291 tables from their NCIX US store and had multiple versions of the file with data going back to 2007. The version I spent time analyzing was dated between November 2013 to February 2015. All the various versions of the MDF database files had been unencrypted with the last file being dated in 2017 for most of the databases. The nciwww database contained a thousand records from affiliates listing plain text passwords, addresses, names, and some financial data. In another table of information, I found customer service inquiries including messages and contact information. There were also three hundred eighty-five thousand names, serial numbers with dates of purchase, addresses, company names, email addresses, phone numbers, IP addresses and unsalted MD5 hashed passwords. The database also contained full credit card payment details in plain text for two hundred and fifty-eight thousand users between various tables.

Source: https://www.privacyfly.com/articles/ncix_breach

 

While it's been picked up by a few others, this is still the singular originating source about this breach, so this is still allegedly what has happened. As a reminder for those not aware, the Canadian retailer went bankrupt on December 1 last year. Due to a number of bad practices on both its part and those in charge of liquidating the assets, company servers and PCs sent in for repair were sold off as part of the auction with customer data still on them. Furthermore, transaction data as well as employee records , tax forms, and other related files were still left on said HDDs, stretching back about a decade and a half.

 

If you've ever bought something from NCIX, it's best you monitor your credit card for any fraudulent charges.

[Mockingbird]

Quote

 

A security researcher has found customer and employee data belonging to one of Canada's biggest PC hardware retailers on servers put up for sale on Craigslist. The data, believed to go back as far as 15 years, belongs to NCIX, a PC retailer that filed for bankruptcy and closed shop in December 2017.

 

The massive privacy breach appears to have taken place after the retailer closed its stores last year and retired old servers and employee workstations.

 

It's unclear how these servers ended up advertised on Craigslist, but they did. Travis Doering of Privacy Fly discovered an ad for two servers in August.

 

During the course of a month, Doering met with the seller, an Asian man from Richmond, British Columbia, who introduced himself under the name of "Jeff."

 

Doering says he made it clear from the beginning that he was interested in acquiring data stored on these servers, put up for sale for CAD$1,500 (USD$1,150) each.

 

After several meetings, Doering says he discovered that the seller had access to many more NCIX servers and workstations then he initially advertised on Craigslist.

 

Jeff claimed to have gained access to NCIX's former hardware after the company failed to pay a CAD$150,000 (USD$115,000) bill for warehouse storage space and that he was helping the warehouse owner sell the equipment. None of this could be corroborated from any source.

 

But Doering did say Jeff had access to "300 desktop computers from NCIX's corporate offices and retails stores, 18 DELL Poweredge servers, as well as at least two Supermicro server's running StarWind iSCSI Software that NCIX had used to back up their hard disks."

 

In addition, Jeff also granted Doering access to "109 hard drives which had been removed from servers before auction and one large pallet of 400-500 used hard drives from various manufacturers."

 

On the various backup images and hard drives Doering accessed during his meetings with Jeff, he says he found personal data such as credentials, invoices, photographs of customers IDs, bills, customer names, addresses, email addresses, phone numbers, IP addresses, and unsalted MD5 hashed passwords, just to name a few.

 

He also found a database table containing 258,000 payment card details, stored in plaintext and another table containing 3,848,000 customer orders.

 

Doering says he even accessed a backup image for the computer of Steve Wu, NCIX's founder.

 

When companies shut down, they usually wipe servers to prevent unauthorized access to their old data. Companies also usually encrypt their data when creating backups. But Doering said data stored on all this equipment was not encrypted. 

 

In subsequent negotiations with Jeff, Doering says he discovered that the seller was willing to allow him to copy all the NCIX customer data from all server hard drives without buying the hardware. Jeff also told Doering that at least one other person already bought some of the old NCIX user data.

 

Doering's report seems far-fetched at a first read, and is quite unbelievable that such a large company like NCIX wouldn't encrypt user data or wipe servers before decommissioning its hardware.

 

In an attempt to verify the validity of Doering's report earlier today, ZDNet reached out to a former NCIX employee whose name was exposed in an image Doering published on his blog.

 

[...]

 

https://www.zdnet.com/article/canadian-retailers-servers-storing-15-years-of-user-data-sold-on-craigslist/

[Sszecret Veteran]

 it's already been posted. Maybe the mods could merge these two topics?  

[Mockingbird]

7 minutes ago, Sszecret said:

 it's already been posted. Maybe the mods could merge these two topics?  

The other thread has too much technical information and not enough background information.

[Sszecret Veteran]

The Richmond RCMP (Royal Canadian Mounted Police) apparently has opened an investigation and apparently has the drives (though it's unclear if they've seized all of them).

 

 

[+Matthew S. Subscriber²]

I'm assuming it would also affect their storefront customers too right?

[Jim K Global Moderator]

Also (just to add to the topic) ...
 

Quote

RCMP and privacy commissioner probe alleged NCIX data breach

 

The RCMP and Office of the Information and Privacy Commissioner of British Columbia are investigating allegations of a possible data breach involving the bankrupt computer retailer NCIX.

 

Authorities are investigating a claim that NCIX's database servers have been advertised for sale online with all of the information still intact.

 

In doing so, it may have compromised the security of countless customers. 

 

According to a statement from Richmond RCMP, the case was opened Thursday and police have seized the servers

CBC

[Sszecret Veteran]

@Jim KI posted that tweet in the other thread that was opened later.

 Is there any way these two could be merged? 

 

@Matthew S.from what info is available currently, all NCIX customers and employees are affected by this. The only seemingly safe transactions were the ones made through PayPal instead of via credit cards.

[Jim K Global Moderator]

//merged

 

Hadn't noticed the other thread.