Dead retailer's 'customer data' turns up on seized kit, unencrypted and very much for sale

Infosec bod claims he glimpsed sensitive personal info left on unwiped servers


Servers that once belonged to defunct Canadian gadget retailer NCIX turned up on the second-hand market without being wiped – and their customer data sold overseas – it is claimed.

Those boxes, allegedly, stored plaintext credit card data for approximately 260,000 people, and purchase records for 385,000 shoppers.

Travis Doering, of infosec shop Privacy Fly, claimed he discovered the security cockup in the simplest way possible: he spotted the machines advertised on Craigslist, answered the ad, and inspected what was on offer.

According to the security consultant in a writeup this week, the hardware haul turned out to be 18 Dell Poweredge boxes from NCIX's server farm, plus storage kit, and 300 desktop machines. They were seized by the retailer's landlords after NCIX failed to pay CA$150,000 in rent, and sold off via auction to another person, who then apparently hawked the equipment to interested buyers via Craigslist last month.

The chain's database files, dating back to 2007, were unencrypted on the machines, and covered all aspects of the business, according to Doering:

The nciwww database contained a thousand records from affiliates listing plain text passwords, addresses, names, and some financial data. In another table of information, I found customer service inquiries including messages and contact information. There were also three hundred eighty-five thousand names, serial numbers with dates of purchase, addresses, company names, email addresses, phone numbers, IP addresses and unsalted MD5 hashed passwords. The database also contained full credit card payment details in plain text for two hundred and fifty-eight thousand users between various tables.

Other database tables contained millions of records created through the entire life of NCIX, we're told. Customers in the databases lived in the US as well as Canada, it was claimed.

Infosec world and US Army veteran Jake Williams described it as "one of the most egregious data breaches ever"...

The contact offering the kit for sale, known only as “Jeff,” also explained that he'd sold NCIX data to more than one overseas customer: $15,000 got each buyer “thirteen terabytes of SQL databases and various VHD and Xen server backup files," it was alleged.

"I cringed at the thought of that data being sold once, as it was dangerous enough. Then during further conversation, Jeff mentioned at least five other buyers," Doering claimed. "Jeff described one as a competing retailer, while the other three Jeff claimed to 'not want to know' their intentions or business.”

Doering noted that the straightforward measure of turning on full-disk encryption would have sufficed to prevent any leak. Alternatively, destroying the storage beyond salvage would have been a good move, in our view.

Since NCIX is nothing but a corpse now, those whose privacy has been breached – any customer or employee – have little chance for any redress, we fear. ®

Updated to add

Developer Daniel Dent has some more detail on the matter over here.


Other stories you might like

  • Thunderbird 102 gets a major facelift, Matrix chat support
    Mozilla's messaging client appears to have benefited from sponsor shakeup

    Open-source cross-platform email and messaging client Thunderbird has hit version 102, with a new look and improved functionality, including Matrix chat support.

    The latest release is the first major upgrade since version 91, which The Reg looked at last August. This is normal for the app – it follows the same approximately annual release cycle as Firefox's Extended Support Releases, the most recent of which was also version 91. From now until the next major release, Thunderbird 102 will get a regular stream of minor updates and bug fixes.

    102 has a modernized look and feel. There's a new "Spaces" toolbar, which appears vertically on the left of the app window and lets users quickly flip between inbox, address book, calendar, task list, and chat tabs. All of these are built-in features – the former Lightning calendar add-on is now an integral part of the app, as is PGP support, which used to be an add-on called Enigmail. Thunderbird can talk to various groupware calendar and contact servers, including both private and corporate Google Mail accounts, Microsoft Exchange and Office 365, and others.

    Continue reading
  • UK govt promises to sink billions into electronic health records for England
    NHS App role expanded following perceived COVID-era success

    The UK's National Health Service (NHS) has committed to implementing electronic health records for all hospitals and community practices by 2025, backed by £2 billion (c $2.4 billion) in funding.

    The investment from one of the world's largest healthcare providers follows Oracle founder Larry Ellison's promise to create "unified national health records" in the US after the company paid $28.3 billion for Cerner, an American health software company also at the heart of many NHS record systems.

    In the UK, health secretary Sajid Javid has promised £2 billion to digitize the NHS in England, including electronic health records in all NHS trusts (hospitals or other healthcare providers) by March 2025.

    Continue reading
  • China says it has photographed all of Mars from orbit
    Enjoy the slideshow from Tianwen's orbital adventures

    China is claiming that as of Wednesday, its Tianwen-1 Mars orbiter has officially photographed the entire Red Planet. And it's shown off new photos of the southern polar cap and a volcano to prove it.

    "It has acquired the medium-resolution image data covering the whole globe of Mars, with all of its scientific payloads realizing a global survey," state-sponsored media quoted the China National Space Administration (CNSA) announcing.

    Among the images are one of Mount Askra with its crater, shots of the South Pole whose ice sheet is believed to consist of solid carbon dioxide and ice, the seven-kilometer deep Valles Marineris canyon, and the geomorphological characteristics of the rim of the Mund crater.

    Continue reading

Biting the hand that feeds IT © 1998–2022