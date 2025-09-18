from the easy-pickings dept.
Servers that once belonged to defunct Canadian gadget retailer NCIX turned up on the second-hand market without being wiped – and their customer data sold overseas – it is claimed.
Those boxes, allegedly, stored plaintext credit card data for approximately 260,000 people, and purchase records for 385,000 shoppers.
Travis Doering, of infosec shop Privacy Fly, claimed he discovered the security cockup in the simplest way possible: he spotted the machines advertised on Craigslist, answered the ad, and inspected what was on offer.
According to the security consultant in a writeup this week, the hardware haul turned out to be 18 Dell Poweredge boxes from NCIX's server farm, plus storage kit, and 300 desktop machines. They were seized by the retailer's landlords after NCIX failed to pay CA$150,000 in rent, and sold off via auction to another person, who then apparently hawked the equipment to interested buyers via Craigslist last month.
https://www.theregister.co.uk/2018/09/21/ncix_servers_sold/
https://www.privacyfly.com/articles/ncix_breach/
(Score: 2) by RandomFactor on Tuesday September 25, @11:00PM
Grrrr....Private people's data provided for use by a specific entity and NOT intended by the private parties as a transferable asset. The landlord used it as such by selling it and should be fully liable for all related misery and damages + punative multipliers.
It would be nice if that landlord were destroyed in court every imaginable for this, but i suspect that would be fantasy and I'm going to have to get used to disappointment. Anyone know what recourse if any our Northern neighbors have here?
(Score: 2) by bob_super on Tuesday September 25, @11:32PM
We need major breaches, bothering very rich people.
That's the only way we're gonna get any sensible laws about private-info databases and the obsolete concepts of SSNs and credit card numbers.