Database servers sold at NCIX auction allegedly without being wiped

Sep 21 2018, 5:49 am

While they may have filed for bankruptcy late last year, resulting in two separate auctions earlier this year, it appears that NCIX, a former Vancouver-based computer hardware and software retailer, compromised the security of countless customers in the process.

That is according to Travis Doering of Privacy Fly, which identifies itself as a boutique cyber security firm based in Vancouver.

In a post on Privacy Fly’s website, Doering details his experience in inquiring about NCIX products which were bought at one of the auctions earlier this year, and then posted in the “For Sale” section of Craigslist.

And while this in itself may not be concerning, it is what Doering said he found out about the products in question was a cause for concern.

Through ongoing correspondence with the seller, Doering said it was revealed to him that the data on three NCIX servers, for sale at a cost of $15,000, had not been wiped.

“In addition, there were also the 109 hard drives which had been removed from servers before auction and one large pallet of 400-500 used hard drives from various manufacturers,” writes Doering. “I remember the feeling of dread as it came over me when I imagined what could have been exposed in those 500 desktops previously sold unencrypted and unwiped via Able Auctions.”

Doering decided to examine  some of the SQL databases titled nciwww.MDF, payroll_Data.MDF, OrdersSql.MDF, posreports.MDF, among other names, and this is where things got” increasingly worrisome.”

“I found customer service inquiries including messages and contact information,” he writes. “There were also 385,000 names, serial numbers with dates of purchase, addresses, company names, email addresses, phone numbers, IP addresses and unsalted MD5 hashed passwords.”

Doering notes that the database also “contained full credit card payment details in plain text for 258,000 users between various tables.”

By the time he had inspected things further, Doering said all the data he saw “contained some [of] the most damaging and extensive records I had ever come across covering at least seventeen years of business transitions.”

Doering’s full report is available here.

See also
DH Vancouver StaffDH Vancouver Staff

+ News
+ Venture
+ Tech