Dead retailer's 'customer data' turns up on seized kit, unencrypted and very much for sale

Infosec bod claims he glimpsed sensitive personal info left on unwiped servers

67 Reg comments Got Tips?

Servers that once belonged to defunct Canadian gadget retailer NCIX turned up on the second-hand market without being wiped – and their customer data sold overseas – it is claimed.

Those boxes, allegedly, stored plaintext credit card data for approximately 260,000 people, and purchase records for 385,000 shoppers.

Travis Doering, of infosec shop Privacy Fly, claimed he discovered the security cockup in the simplest way possible: he spotted the machines advertised on Craigslist, answered the ad, and inspected what was on offer.

According to the security consultant in a writeup this week, the hardware haul turned out to be 18 Dell Poweredge boxes from NCIX's server farm, plus storage kit, and 300 desktop machines. They were seized by the retailer's landlords after NCIX failed to pay CA$150,000 in rent, and sold off via auction to another person, who then apparently hawked the equipment to interested buyers via Craigslist last month.

The chain's database files, dating back to 2007, were unencrypted on the machines, and covered all aspects of the business, according to Doering:

The nciwww database contained a thousand records from affiliates listing plain text passwords, addresses, names, and some financial data. In another table of information, I found customer service inquiries including messages and contact information. There were also three hundred eighty-five thousand names, serial numbers with dates of purchase, addresses, company names, email addresses, phone numbers, IP addresses and unsalted MD5 hashed passwords. The database also contained full credit card payment details in plain text for two hundred and fifty-eight thousand users between various tables.

Other database tables contained millions of records created through the entire life of NCIX, we're told. Customers in the databases lived in the US as well as Canada, it was claimed.

Infosec world and US Army veteran Jake Williams described it as "one of the most egregious data breaches ever"...

The contact offering the kit for sale, known only as “Jeff,” also explained that he'd sold NCIX data to more than one overseas customer: $15,000 got each buyer “thirteen terabytes of SQL databases and various VHD and Xen server backup files," it was alleged.

"I cringed at the thought of that data being sold once, as it was dangerous enough. Then during further conversation, Jeff mentioned at least five other buyers," Doering claimed. "Jeff described one as a competing retailer, while the other three Jeff claimed to 'not want to know' their intentions or business.”

Doering noted that the straightforward measure of turning on full-disk encryption would have sufficed to prevent any leak. Alternatively, destroying the storage beyond salvage would have been a good move, in our view.

Since NCIX is nothing but a corpse now, those whose privacy has been breached – any customer or employee – have little chance for any redress, we fear. ®

Updated to add

Developer Daniel Dent has some more detail on the matter over here.


Keep Reading

845GB of racy dating app records exposed to entire internet via leaky AWS buckets

We've kept this story safe for work... which is perhaps a little odd because you're all working from home anyway

Trump reveals US cyber-attack on Russian election-misdirection troll farms

Maybe Donald isn’t in love with Vlad after all – but he did just give Russia attribution and maybe a peek at tradecraft

Dating app for Trump loners commits YUGE blunder: It leaks more than the West Wing

Donald Daters application more insecure than the president

Big Tech backs colleges in war against Trump's ban on foreign students taking web-only classes mid-pandemic

Microsoft, Google, Facebook and pals weigh in on F-1, M-1 visa lawsuit

Trump U-turns on foreign student crackdown: F-1, M-1 visa holders allowed to study online mid-pandemic in the US

Funnily enough, triggering a brain drain and denting the economy isn't such a great vote winner

Huawei claims its Google Play replacement is in 'top 3' app stores after Trump turns off tap to the Chocolate Factory

The re-badged progressive web apps should help fill it out a bit

Huge if true... Trump explodes as he learns open source could erode China tech ban

The Register presents White House transcript obtained by Stealth Anti-Tracing Intelligence Remote Exfiltration

Coronavirus pandemic latest: Trump declares 'two very big words' – national emergency – and unexpectedly ropes in Google to help in some form

There'll be a website, at some point, that will work in some way, maybe

Biting the hand that feeds IT © 1998–2020