Data on Millions from Unwiped Servers Sold Over Craigslist

When a company goes bankrupt what happens to the customer data? In one case, it ended up for sale on Craigslist. Data on Millions from Unwiped Servers Sold Over Craigslist

That’s what a system analyst in Canada recently found: A shady Craigslist dealer was offering access to millions of customer records taken from unwiped servers used by the electronics retailer NCIX, which went bankrupt in 2017. “It sounds crazy how negligent this company was,” said Travis Doering, who uncovered the sale and was once an NCIX customer. “I personally feel so betrayed by this.” This week, he wrote up the incident in a blog post, which appears to have sparked a police investigation into the sale.

According to Doering, at least some of the data goes back 15 years and was entirely stored in plain text. It included customer addresses, phone numbers, credit card payment details, along with what items people bought. Doering, who runs the cybersecurity firm Privacy Fly, noticed the Craigslist posting last month; it was offering two servers from the now-defunct NCIX, which operated in both the US and Canada.

He decided to investigate, and eventually met the seller, an “Asian man in his mid-thirties who identified himself as Jeff.” The mysterious seller claimed to possess an entire server farm from NCIX, in addition to hundreds of desktop computers used by the retailer’s offices and stores. Doering had a chance to examine some of the files inside the hardware, and his blog post includes screenshots showing the data they contained.

Data on Millions from Unwiped Servers Sold Over Craigslist

One database, for instance, held 385,000 customer records for NCIX’s US business that listed names, addresses, phone numbers and more. Another database focused on Canada and listed the same information, but for 3.8 million records.

“What Jeff showed me was only the tip of the iceberg,” Doering told PCMag in an interview. He added that it’s likely the man had access to every record NCIX ever created.

This includes files on former employees containing their Canadian social insurance numbers, as well as correspondence NCIX had between major corporate clients such as gaming firms and government groups. The dealer offered Doering the data for £15,000, but noted he already sold the trove of information to at least five other buyers. Since Doering wrote his blog post on the sale, police appear to have taken action.

“All we can say is that an investigation was launched yesterday by our Detachment, which bears some similarities with what you are inquiring about,” a spokesman for the Richmond Royal Canadian Mounted Police told PCMag.

Data on Millions from Unwiped Servers Sold Over Craigslist

But according to Doering, police told him that they’ve actually seized the hardware from the Craigslist dealer.

Unfortunately, only “one-tenth” of what the man was attempting to sell was recovered, he said. How the NCIX data ended up in the hands of the Craigslist dealer isn’t totally clear. Doering said he doesn’t know the true identity of “Jeff,” but the man claimed he was helping a landlord of NCIX’s server warehouse recoup his lost funds.

From what Doering learned, NCIX owed the landlord £150,000. The former CEO of NCIX, Steve Wu, so far hasn’t responded for comment. When the retailer filed for bankruptcy last December, it was taken over by a financial firm called the Bowra Group, which then sold the remaining assets to an undisclosed third-party who intended on restarting NCIX, a Bowra representative told PCMag.

The assets were later put up for sale to the public through Able Auctions. However, all the NCIX hardware was first reviewed by the undisclosed third-party, according to the owner of Able Auctions, Jeremy Dodd. “They (the third-party) had the stuff for about a month. They took out what they wanted.

They went through every hard drive,” he said.

Data on Millions from Unwiped Servers Sold Over Craigslist In regards to NXIC’s server farm which would’ve held the company’s most sensitive data the third-party kept the newer hardware, but let Able Auctions take the older systems. It was assumed all the information had been erased from the leftover computers, but it’s possible not every hard drive was wiped, Dodd said. “We were never privy to what they were doing.

There was a lot of hardware. There were hundreds of hard drives,” he said, later adding. “No, we didn’t check every single hard drive.” Both Bowra and Able Auctions have declined to say who the undisclosed third-party is.

But Dodd is blaming the incident on them. “The breach either came within their company or they were negligent in clearing off the hard drives,” which were later sold to the public, he said. Whatever the case may be, Doering told PCMag the “damage is done.” The NCIX data can be used to commit identity theft and hacking crimes on former customers, including corporations. The leaked files include information on what computer systems companies and government offices were buying from NCIX. “You can craft a specific attack when you can estimate what BIOS they are running, what versions they have,” he said. “Think about how valuable that is for a foreign intelligence agency.”

A former employee of NCIX also told PCMag that the company had corporate buyers who would’ve submitted payment forms that included bank account information. “A lot of the practices they (NCIX) did when it came to storing data, we knew it wasn’t 100 percent.

It wasn’t like we were a PCI compliant company,” he said, referring to industry standards on encrypting payment card data.

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *

       
Apps & Games Clothing Electronics & Photo Large Appliances
Baby Womens Apparel Garden Lighting
Beauty Mens Apparel Outdoors Luggage
Books Girls Apparel Health & Personal Care Pet Supplies
Car Boys Apparel Home Shoes & Bags
Motorbike Computers & Accessories Kitchen Equipment Sports & Outdoors
Fashion DIY & Tools Jewellery Toys & Games