NCIX Database Servers Containing Unencrypted User Data Cause Yet Another Data Breach
As if the Newegg data breach reported yesterday was not enough, NCIX decided to haunt everyone from the grave when news of a much larger data breach came out today. Readers of our website may have been aware that NCIX declared bankruptcy last December, and all their assets were put up for sale as part of a multi-day auction by the Able Auctions firm earlier this year. Most of the items on sale were innocuous, including remaining PC DIY components and office supplies, but an investigation coming out of Privacy Fly, a cyber security firm from Canada, is showing that something much more sinister ended up in the hands of people who also knew what they were doing. In particular, an unidentified male who called himself "Jeff", acting either independently or on behalf of another company, had procured the entire NCIX server farm at the auction and then sorted through the data to determine what was "useful" and what was not.
By this, he was referring to unencrypted and/or easily-cracked user data stored on the servers that NCIX had not bothered to remove or put behind a stronger password as the contents were laid bare for Privacy Fly to examine after the server was unlocked. These servers were put up for sale for $1500 (CAD) on Craigslist of all places, in a bold move effectively selling user data by the tens of thousands. "Jeff" confirmed he was in possession of hundreds of desktops, hard drives and more servers which, along with the StarWind iSCSI Software that was included in the auction and used by NCIX for all their years of existence meant every single customer and former employee was exposed by the breach. To be more specific, we are talking about financial records including payroll information, residence and email addresses, payment information and even Canadian SIN numbers all available to be seen and purchased by the lot. Be it the fault of NCIX or Able Auction, knowing that unencrypted data servers were sold without being wiped is terrifying, and we recommend taking appropriate actions as deemed for your country of residence.
By this, he was referring to unencrypted and/or easily-cracked user data stored on the servers that NCIX had not bothered to remove or put behind a stronger password as the contents were laid bare for Privacy Fly to examine after the server was unlocked. These servers were put up for sale for $1500 (CAD) on Craigslist of all places, in a bold move effectively selling user data by the tens of thousands. "Jeff" confirmed he was in possession of hundreds of desktops, hard drives and more servers which, along with the StarWind iSCSI Software that was included in the auction and used by NCIX for all their years of existence meant every single customer and former employee was exposed by the breach. To be more specific, we are talking about financial records including payroll information, residence and email addresses, payment information and even Canadian SIN numbers all available to be seen and purchased by the lot. Be it the fault of NCIX or Able Auction, knowing that unencrypted data servers were sold without being wiped is terrifying, and we recommend taking appropriate actions as deemed for your country of residence.