Recently the popular online retail service Craigslist was advertising servers and storage disks.  The seller was marketing Netlink Computer Inc. (NCIX) retail service new and used IT equipment.  The servers and storage disks being marketed included millions of unencrypted confidential records of employees, customers and business partners.   Up until 1 December 2017, when Canadian IT retail services NCIX filed for bankruptcy, they were a privately-held company who sold new and used computer hardware and software.  NCIX competed with Amazon and Newegg, but their business model focused on walk-in outlets rather than online sales.  This was the theorized demise of the company.    

After filing for bankruptcy, NCIX abandoned their company computers in a Richmond, British Columbia warehouse.  Two YouTube videos show the facility upon abandonment.[1]  A security consultant from Privacy Fly acted on the Craigslist selling offer that was marking two NCIX database servers for $1,500 CAD.  The consultant discovered that the seller, later identified as “Jeff,” had actually obtained NCIX’s entire server farm.  The retailer's inventory was auctioned earlier in 2018, but corporate computers were abandoned by NCIX in a warehouse in British Columbia after they defaulted on their rent. 

“Jeff” told the consultant that he was a former systems administrator for a Richmond-based telecommunications company and was helping the NCIX landlord recover the rent money.  This abandoned equipment included server equipment and 109 unwiped disk drives.  At least one data collection spanned 15 years of sales orders in multiple database backup versions.  Analysis disclosed 3,848,000 sales order details between 2007 and 2010, with names, company names, items purchased and their serial numbers, addresses, phone numbers, and payment data.  In an updated version, analysis provided corresponding email addresses.

Further examination of the storage drives exposed potential buyers and customer service inquiries containing full credit card payment details belonging to 258,000 users in the United States and Canada.

Additional entries in the database included 385,000 names, serial numbers with dates of purchase, addresses, company names, email addresses, phone numbers, IP addresses, and passwords.[2]

“Jeff” explained he was in possession of about 300 desktop computers from NCIX corporate offices and retail stores, as well as 18 Dell PowerEdge servers, two SuperMicro servers with StarWind iSCSI software for back purposes.   All included 109 storage units with unwiped data.  One backup image, belonging to NCIX former owner, had data going back 13 years, with financial documents, employment letters containing social insurance numbers, and personal data from the owner’s personal computer. 

“Jeff” offered to sell the security consultant the desktops and server hardware, including the data for $35,000 CAD.  This did not include a batch of hard drives with 13TB of SQL databases, because someone had already purchased them and received the data via remote access to this data.  The seller later verbally disclosed that at least five other buyers, some of them involved in businesses he “did not want to know about,” purchased some of this data. 

Mitigation

This is a clear example of buying and selling both hardware, software and associated data to any buyers.  The buyers “Jeff” allegedly sold this sensitive data to are most likely criminals.  These cyber criminals will highly likely in turn use this personal identifying information (pii) and associated financial information to conduct credit card fraud.   

Buying used computer equipment through on-line services can be fraught with perils, like the NCIX situation.  Buyers must always beware.  Do your homework before making any on line purchase other than legitimate sellers.  If you sell, discard or are forced to abandon personal or company computer equipment; always pull or properly wipe the hard drives.  NCIX did not take due diligence and could possibly face potential legal and civil repercussions.  Also, applying common sense credit card practices will keep most buyers out of trouble.  Used multiple credit cards for physical and on-line purchases, change them often.  Never use your debit cards for on-line purchases.  There are many reputable credit protection services, that can provide protection.  And routinely monitor your credit ratings.    

For questions, comments or assistance regarding this report, please contact Wapack Labs at 603-606-1246, or feedback@wapacklabs.com

[1] https://youtu.be/RVXR0eCCXbQ, ; https://youtu.be/cS0pyw7M2as

[2] https://www.privacyfly.com/articles/ncix_breach/#three

E-mail me when people leave their comments –

You need to be a member of Red Sky Alliance to add comments!