Canadian retailer's servers storing 15 years of user data sold on Craigslist

NCIX did not wipe or encrypt servers when it closed down and filed for bankruptcy in 2017. Their customers' data is now peddled online by Richmond-based individual.
Written by Catalin Cimpanu, Contributor
Image: Wikimedia

A security researcher has found customer and employee data belonging to one of Canada's biggest PC hardware retailers on servers put up for sale on Craigslist. The data, believed to go back as far as 15 years, belongs to NCIX, a PC retailer that filed for bankruptcy and closed shop in December 2017.

The massive privacy breach appears to have taken place after the retailer closed its stores last year and retired old servers and employee workstations.

Also: Instagram hack is locking hundreds of users out of their accounts

It's unclear how these servers ended up advertised on Craigslist, but they did. Travis Doering of Privacy Fly discovered an ad for two servers in August.

During the course of a month, Doering met with the seller, an Asian man from Richmond, British Columbia, who introduced himself under the name of "Jeff."

Doering says he made it clear from the beginning that he was interested in acquiring data stored on these servers, put up for sale for CAD$1,500 (USD$1,150) each.

Image: ZDNet

After several meetings, Doering says he discovered that the seller had access to many more NCIX servers and workstations then he initially advertised on Craigslist.

Jeff claimed to have gained access to NCIX's former hardware after the company failed to pay a CAD$150,000 (USD$115,000) bill for warehouse storage space and that he was helping the warehouse owner sell the equipment. None of this could be corroborated from any source.

But Doering did say Jeff had access to "300 desktop computers from NCIX's corporate offices and retails stores, 18 DELL Poweredge servers, as well as at least two Supermicro server's running StarWind iSCSI Software that NCIX had used to back up their hard disks."

Also: Best Home Security Devices for 2018 CNET

In addition, Jeff also granted Doering access to "109 hard drives which had been removed from servers before auction and one large pallet of 400-500 used hard drives from various manufacturers."

On the various backup images and hard drives Doering accessed during his meetings with Jeff, he says he found personal data such as credentials, invoices, photographs of customers IDs, bills, customer names, addresses, email addresses, phone numbers, IP addresses, and unsalted MD5 hashed passwords, just to name a few.

He also found a database table containing 258,000 payment card details, stored in plaintext and another table containing 3,848,000 customer orders.

Doering says he even accessed a backup image for the computer of Steve Wu, NCIX's founder.

When companies shut down, they usually wipe servers to prevent unauthorized access to their old data. Companies also usually encrypt their data when creating backups. But Doering said data stored on all this equipment was not encrypted.

Also: Why hiring more cybersecurity pros may not lead to better security TechRepublic

In subsequent negotiations with Jeff, Doering says he discovered that the seller was willing to allow him to copy all the NCIX customer data from all server hard drives without buying the hardware. Jeff also told Doering that at least one other person already bought some of the old NCIX user data.

Doering's report seems far-fetched at a first read, and is quite unbelievable that such a large company like NCIX wouldn't encrypt user data or wipe servers before decommissioning its hardware.

In an attempt to verify the validity of Doering's report earlier today, ZDNet reached out to a former NCIX employee whose name was exposed in an image Doering published on his blog.

Image: Privacy Fly

The employee's name was Chadwick Ma, as seen in the image above. ZDNet was able to identify the Facebook profile of one man named Chadwick Ma who described himself in his profile as an Asian Canadian living in Richmond, Canada.

We reached out to Ma with a private message via his Facebook profile, hoping he could confirm the authenticity of the T4 tax form Doering had taken a screenshot off during a meeting with Jeff while reviewing some of the NCIX data.

Minutes after we reached out, both Ma's Facebook profile and the Craiglist ad were taken down. This seemed suspicious at the time, but in a later conversation Ma told ZDNet that he was in the hospital and shut off his account due to stress and the need to rest.

A Royal Canadian Mounted Police spokesperson did not return a request for comment from ZDNet, although a spokesperson announced on Twitter that they've opened an investigation.

ZDNet has also reached out with questions regarding NCIX's handling of user data to Steve Wu via his LinkedIn and Twitter profiles, but we have not heard back before this article's publication.

Doering also told ZDNet he is still reviewing the NCIX data he was able to get his hands on and plans on updating his original report with a more accurate count of user data, tomorrow, September 21.

Article updated September 22 with information from our conversation with Ma.

These are 2018's biggest hacks, leaks, and data breaches

Previous and related coverage:

What is malware? Everything you need to know

Cyber attacks and malware are one of the biggest threats on the internet. Learn about the different types of malware - and how to avoid falling victim to attacks.

Security 101: Here's how to keep your data private, step by step

This simple advice will help to protect you against hackers and government surveillance.

VPN services 2018: The ultimate guide to protecting your data on the internet

Whether you're in the office or on the road, a VPN is still one of the best ways to protect yourself on the big, bad internet.

Five computer security questions you must be able to answer right now

If you can't answer these basic questions, your security could be at risk.

Critical infrastructure will have to operate if there's malware on it or not

Retired US Air Force cyber-security expert shares his thoughts on the future of critical infrastructure security.

Ordinary Wi-Fi devices can be used to detect suspicious luggage, bombs, weapons

Researchers turn ordinary WiFi devices in rudimentary scanners that can identify potentially dangerous objects hidden inside bags or luggage.

Related stories:

Editorial standards