A security researcher has found customer and employee data belonging to one of Canada's biggest PC hardware retailers on servers put up for sale on Craigslist. The data, believed to go back as far as 15 years, belongs to NCIX, a PC retailer that filed for bankruptcy and closed shop in December 2017.
The massive privacy breach appears to have taken place after the retailer closed its stores last year and retired old servers and employee workstations.
It's unclear how these servers ended up advertised on Craigslist, but they did. Travis Doering of Privacy Fly discovered an ad for two servers in August.
During the course of a month, Doering met with the seller, an Asian man from Richmond, British Columbia, who introduced himself under the name of "Jeff."
Doering says he made it clear from the beginning that he was interested in acquiring data stored on these servers, put up for sale for CAD$1,500 (USD$1,150) each.
After several meetings, Doering says he discovered that the seller had access to many more NCIX servers and workstations then he initially advertised on Craigslist.
Jeff claimed to have gained access to NCIX's former hardware after the company failed to pay a CAD$150,000 (USD$115,000) bill for warehouse storage space and that he was helping the warehouse owner sell the equipment. None of this could be corroborated from any source.
But Doering did say Jeff had access to "300 desktop computers from NCIX's corporate offices and retails stores, 18 DELL Poweredge servers, as well as at least two Supermicro server's running StarWind iSCSI Software that NCIX had used to back up their hard disks."
In addition, Jeff also granted Doering access to "109 hard drives which had been removed from servers before auction and one large pallet of 400-500 used hard drives from various manufacturers."
On the various backup images and hard drives Doering accessed during his meetings with Jeff, he says he found personal data such as credentials, invoices, photographs of customers IDs, bills, customer names, addresses, email addresses, phone numbers, IP addresses, and unsalted MD5 hashed passwords, just to name a few.
He also found a database table containing 258,000 payment card details, stored in plaintext and another table containing 3,848,000 customer orders.
Doering says he even accessed a backup image for the computer of Steve Wu, NCIX's founder.
When companies shut down, they usually wipe servers to prevent unauthorized access to their old data. Companies also usually encrypt their data when creating backups. But Doering said data stored on all this equipment was not encrypted.
In subsequent negotiations with Jeff, Doering says he discovered that the seller was willing to allow him to copy all the NCIX customer data from all server hard drives without buying the hardware. Jeff also told Doering that at least one other person already bought some of the old NCIX user data.
Doering's report seems far-fetched at a first read, and is quite unbelievable that such a large company like NCIX wouldn't encrypt user data or wipe servers before decommissioning its hardware.
In an attempt to verify the validity of Doering's report earlier today, ZDNet reached out to a former NCIX employee whose name was exposed in an image Doering published on his blog.
The employee's name was Chadwick Ma, as seen in the image above. ZDNet was able to identify the Facebook profile of one man named Chadwick Ma who described himself in his profile as an Asian Canadian living in Richmond, Canada.
We reached out to Ma with a private message via his Facebook profile, hoping he could confirm the authenticity of the T4 tax form Doering had taken a screenshot off during a meeting with Jeff while reviewing some of the NCIX data.
Minutes after we reached out, both Ma's Facebook profile and the Craiglist ad were taken down. This seemed suspicious at the time, but in a later conversation Ma told ZDNet that he was in the hospital and shut off his account due to stress and the need to rest.
A Royal Canadian Mounted Police spokesperson did not return a request for comment from ZDNet, although a spokesperson announced on Twitter that they've opened an investigation.
ZDNet has also reached out with questions regarding NCIX's handling of user data to Steve Wu via his LinkedIn and Twitter profiles, but we have not heard back before this article's publication.
Doering also told ZDNet he is still reviewing the NCIX data he was able to get his hands on and plans on updating his original report with a more accurate count of user data, tomorrow, September 21.
Article updated September 22 with information from our conversation with Ma.
These are 2018's biggest hacks, leaks, and data breaches