Defunct Vancouver tech retailer's servers sold off, containing credit cards and other customer details

Originally published at: https://boingboing.net/2018/09/20/immortal-remains.html

3 Likes

I hope they got their money’s worth. Can you imagine just misplacing that many fullz?

2 Likes

Rule 1 of selling off your assets. Physically destroy the hard drives. It is just way cheaper than the cost of the data breach.

6 Likes

From what Doering saw, the computers contained various papers and documents. Some of which even belonged personally to NCIX founder Steve Wu. According to Doering, he found “data going back 13 years, financial documents, employment letters containing SIN numbers”. This even featured personal documents and images of Mr. Wu’s family mixed in with numerous private photos of high end escorts from mainland china.

One drive also contained a treasure trove of confidential data. This includes credentials, invoices, photographs of customers ID’s, Bills, and an employee’s T4 (Tax form) among other files.

Worst of all however, is that he also stumbled into unencrypted tables containing consumer information. This has their addresses, names, contact information and all necessary information to steal their identity. This not only includes NCIX customers from Canada, but from the US as well.

The database also contained full credit card payment details in plain text for 258,000 users.

It is clear that the puzzle of why this technology company ended up in bankruptcy will never be solved…

10 Likes

It was definitely a popcorn show toward the end. Google for some news articles if you want to relive the roller coaster ride.

3 Likes

Bah.

I used NCIX extensively back in the day. In fact, some the servers that now power Boing Boing were purchased from them in 2012!

Thankfully any card data from back then is blessedly out of date.

9 Likes

In a rational society, failure to wipe data that results in the exposure of other people’s personal details would render you fully liable for all damages that ensued. And being forced to change account details after a breach would count as damage. Being on the hook for $10 or $20 for each person forced to change their card numbers by your breach would I suspect do wonders for security.

7 Likes

I shopped there often a few years ago. They had the best prices by far, until a certain mega-company took over. This sucks for all of their more recent customers.

Hmm, I may may need to do some math for last purchase there and the current card issue date. It should be close but not sure which way.

I agree and I think that $10 or $20 is low for the general pains in the ass that comes with having to change card numbers. I travel a lot for work which means that I have to replace (on average) 2 or 3 cards per year. Assuming that the issuer catches the attempted fraud in time (Chase is pretty good at this which is why I generally use their card for travel), I still have to get the new card, update the saved details on the few sites I keep them (car rental, airline, and hotel sites) and then take the time to monitor everything for a few weeks / months later. Then when I arrive at a car rental or hotel that was made with the now defunct card, I have to take the extra time to deal with updating that data in their system.

In the event the fraud is not caught in time (like last year for my debit card), then the aftermath is filling out affidavits for each and every charge that was made - in my case 27 different charges made at various bars, pizza places, and gas stations in southern MA.

If I were to charge the miscreants my professional hourly rate it would be hundreds or thousands of dollars, even if I charged minimum wage it would still probably add up to $1-200

1 Like

Not good. If I throw my credit card in the river it’s gone right?

1 Like

The problem there is who is at fault? What if, for example, the CEO ordered the data nuked and no one complied? And what if they told a manager, they told a subordinate, and the subordinate didn’t do the work? What about a situation where a bankruptcy lays off anyone with the technical know-how to do the work?

I completely agree that there should be someone “at fault”, but speaking as someone who is, and has been, very responsible for this type of work for orgs both small and huge, getting that sort of legislation “right” is very important so you don’t end up screwing over the little admin at the end of the chain, or otherwise making their lives hell while CEO’s do the usual minimum required to meet legislative standards sort of thing.

1 Like

Or even just pro-actively encrypt your drives across the whole enterprise. It sounds like they were using iSCSI authentication and that was it.

At least now everyone has good ammunition to go to the CEO with and get all the office laptops/desktops encrypted; they don’t want their emails to high-end escorts ending up in the wrong hands!

3 Likes

Except, in a collapse where the corpse is picked clean, who from the company is left to care or be held accountable?

3 Likes

The company and its owners. In the case of bankruptcy, either for former owners, or whoever took possession of the company’s tech assets.

8 Likes

This particular case looks like incompetence. But keep in mind that in bankruptcy it is possible that any kind of privacy agreement that you have with a company may end up being voided in the court’s attempt to extract maximum money from the corporate corpse to repay the creditors. So the mailing lists and whatever information that have on you may well be auctioned off to the highest bidder. Their contractual obligations to you are not necessarily more privileged than their contractual obligations to their creditors.

1 Like

This topic was automatically closed after 5 days. New replies are no longer allowed.