Unwiped servers and drives from NCIX appear on Craigslist

A security researcher found data relating to 3,848,000 orders on one server

Old NCIX server

Servers and disk drives from dissolved computer company NCIX have been found for sale on US trading site Craigslist, with all customer, partner and employee data still recoverable.

Although it's unclear who's selling them, one seller said they were helping the landlord get rid of equipment left in their warehouse after the Canadian company went bust last year.

Advertisement - Article continues below

Bleeping Computer reported that security consultant Travis Doering decided to try and buy one of the servers to investigate into whether they were being sold with any data still on them. After seeing one for sale on Craigslist, he set about buying it and was successful.

The seller said he was offering an entire server farm on behalf of the landlord. He also had 300 desktop computers as well as the 18 DELL PowerEdge servers and two SuperMicro servers with StarWind iSCSI software.

Apparently, NCIX had failed to pay the property owner CAD150,000 in rent and so he was trying to recoup the costs by selling the equipment, without clearing it securely.

One of the servers Doering bought contained the data from 3,848,000 orders placed between 2007 and 2010, including names, email addresses, company names, addresses, phone numbers and even payment data.

Advertisement - Article continues below

In all, there was payment data relating to more than 250,000 customers.

Advertisement - Article continues below

Another dataset included unsalted MD5 hashed passwords for 385,000 customers.

The seller's name was Jeff and although speculators think it could be NCIX's former CEO, Jeff Chiang, who wants to make some quick cash, Doering said he didn't think that was the case.

However, whoever is selling the equipment risks getting into serious trouble for essentially selling customer data illegally.

"Both sellers and buyers of the customer records, allegedly belonging to the retailer, can face harsh legal ramifications," High-Tech Bridge's CEO Ilia Kolochenko commented. "Under certain sets of circumstances it can be a serious criminal offense, however, it is too early to make any decisive conclusions prior to thorough investigation of the incident."

But, as NCIX has gone bust, compensation claims are unlikely to fly as there's no one to pay them except those selling the equipment and it's unlikely they'll have the funds to cover any costs like that.

Advertisement - Article continues below

"Nowadays, such negligence is unfortunately not all that uncommon, even amid operating and profitable companies, let alone bankrupt ones, Kolochenko added. "Many large organisations have been exposed for throwing away plaintext PII and other sensitive data of their customers on paper, hard drives or mobile devices.

"This is why certifications similar to ISO 27001 play an important role to ensure that at least the fundamental of information security management are properly implemented in a company."

Featured Resources

The case for a marketing content hub

Transform your digital marketing to deliver customer expectations

Download now

Fast, flexible and compliant e-signatures for global businesses

Be at the forefront of digital transformation with electronic signatures

Download now

Why CEOS should care about the move to SAP S/4HANA

And how they can accelerate business value

Download now

IT faces new security challenges in the wake of COVID-19

Beat the crisis by learning how to secure your network

Download now


data recovery

Data recovery: Why is it so important?

9 Oct 2019

Most Popular

Microsoft Windows

Microsoft warns users not to install Windows 10's May update

28 May 2020
cyber security

Microsoft bans Trend Micro driver from Windows 10 for "cheating" hardware tests

27 May 2020
data protection

NHS yet to understand risks of holding Test and Trace data for 20 years

29 May 2020