When Vancouver tech retailer NCIX went bankrupt, it stopped paying its bills, including the bills for the storage where its servers were being kept; that led to the servers being auctioned off without being wiped first, containing sensitive data — addresses, phone numbers, credit card numbers, passwords, etc — for thousands of customers. Also on the servers: tax and payroll information for the company’s employees.
In August, security researcher Travis Doering of Privacy Fly found NCIX servers being sold off on Craigslist; the seller, described as “an Asian man from Richmond” who called himself “Jeff,” said he bought many NCIX servers and computers, as well as hundreds of hard-drives with sensitive company data on them. Doering verified that Jeff’s servers held hundreds of thousands of credit-card numbers and millions of customer orders, as well as a backup image of the personal computer of NCIX founder Steve Wu.
Jeff told Doering that he had already sold copies of some of NCIX’s internal data to another customer, and offered to let Doering buy the right to copy the hard-drives on NCIX’s systems, rather than the systems themselves.
NCIX appears not to have encrypted any of its systems.
The examination portion of the meeting began to wind-down as time flew by and Jeff jumped into brokering a deal over a cup of tea. The first offer was thirty-five thousand dollars which would allow me to purchase all the desktop’s and server hardware, excluding one group of hard drives that I had analyzed which he would allow me to copy. This struck me as strange and I inquired as to why I couldn’t purchase those drives. He explained that those drives and the data on them had already sold for around fifteen thousand dollars to a foreign buyer who was arriving in Vancouver to acquire them in December. “December” I quipped in questioning tone which, prompted Jeff to explain that even though the buyer was picking up the physical drives in December. Jeff had already copied the data from those drives to a network storage device and allowed the buyers remote access. The data on those drives contained thirteen terabytes of SQL databases and various VHD and Xen server backup files. I cringed at the thought of that data being sold once, as it was dangerous enough when during further conversation Jeff mentioned at least five other buyers. Jeff described one as a completing retailer while the other three Jeff claimed to “Not Want to Know” their intentions or business. Armed with the knowledge that Jeff was willing to sell the data without all the hardware attached to the deal, I mentioned that I had little use for hardware which prompted him to make a considerably shadier proposal. Jeff stated that I could pay fifteen thousand dollars to copy all the data from the hard drives including the ones that he had previously sold. This scenario would playout with my employer paying fifteen thousand dollars to “Rent the Room” and he would provide me with a couple of desks and some servers to image all the data onto my own drives. Jeff and I tentatively agreed on the second deal and I quickly exited the warehouse.On my way out, I couldn’t help but think about how Jeff boasted that he was able to “crack their ISCSI server with very simple tools in five minutes” and called their security “really, really, bad” and I would whole heartedly agree with him there. This entire scenario could have been avoided by simply implementing full disk encryption within their organization or destroying the drives as their bankruptcy loomed. NCIX founder Steve Wu worked in IT for many years and fully understood the risk involved in his choice not to encrypt any data and then the repercussions of him abandoning the assets in a warehouse. Mr. Wu’s reckless behavior has harmed every individual and business NCIX dealt with, by allowing millions of confidential records to be sold without any oversight to anonymous buyers. The data can easily be used to cash out credit cards, craft convincing phishing messages containing details on purchases and commit identity theft.
Canadian retailer’s servers storing 15 years of user data sold on Craigslist [Catalin Cimpanu/Zdnet]
NCIX DATA BREACH [Travis Doering/Privacy Fly]