Stories
Slash Boxes
Comments

SoylentNews is people

SoylentNews is powered by your submissions, so send in your scoop. Only 19 submissions in the queue.

NCIX Data Breach

posted by Fnord666 on Tuesday September 25 2018, @10:47PM   Printer-friendly
from the easy-pickings dept.

An Anonymous Coward writes:

Servers that once belonged to defunct Canadian gadget retailer NCIX turned up on the second-hand market without being wiped – and their customer data sold overseas – it is claimed.

Those boxes, allegedly, stored plaintext credit card data for approximately 260,000 people, and purchase records for 385,000 shoppers.

Travis Doering, of infosec shop Privacy Fly, claimed he discovered the security cockup in the simplest way possible: he spotted the machines advertised on Craigslist, answered the ad, and inspected what was on offer.

According to the security consultant in a writeup this week, the hardware haul turned out to be 18 Dell Poweredge boxes from NCIX's server farm, plus storage kit, and 300 desktop machines. They were seized by the retailer's landlords after NCIX failed to pay CA$150,000 in rent, and sold off via auction to another person, who then apparently hawked the equipment to interested buyers via Craigslist last month.

https://www.theregister.co.uk/2018/09/21/ncix_servers_sold/

https://www.privacyfly.com/articles/ncix_breach/

Original Submission

 
This discussion has been archived. No new comments can be posted.
NCIX Data Breach | Log In/Create an Account | Top | 7 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 0) by Anonymous Coward on Wednesday September 26 2018, @12:57PM (1 child)

    by Anonymous Coward on Wednesday September 26 2018, @12:57PM (#740139)

    Yes it's disgusting somebody sells this stuff but I think the fault is with the first party, i.e. NCIX, who should have wiped the hardware before passing it on. Unless they had some shady deal the info goes along with the servers and gets monetized by selling to criminals.

    And then there is the question what did their TOS say, perhaps the data was already fair game to begin with, anything goes. If the TOS of a service is too long or complex for you to read and understand, don't use the service.

  • (Score: 2) by urza9814 on Wednesday September 26 2018, @06:35PM

    by urza9814 (3954) on Wednesday September 26 2018, @06:35PM (#740373) Journal

    NCIX went bankrupt and shut down. They may not have even had the money to pay someone to wipe the servers, and there's nobody to sue over that at this point.

    As part of the bankruptcy their assets would be distributed to their creditors to pay off debts, so the landlord presumably acquired the servers perfectly legally as payment for a debt. They're probably not bound by whatever privacy policy was in place at NCIX -- NCIX maybe violated that by selling those servers, but again, they aren't here anymore to rectify that.

    However, there's a number of laws in Canada regarding collection and sale of personal information which the landlord almost certainly violated. Although the one federal law which I found (PIPEDA) seems fairly worthless -- it defines what companies can and cannot do with personal information...and then proceeds to explain that there is no defined punishment for any company found to be violating those terms.

    So for any former NCIX customers...good luck! Looks like you might need it...