SirRemog

In a disappointing decision on December 27, 2018 BC court ruled to dismiss the Class Action lawsuit filed against the NCIX, its landlord and the company responsible for auctioning off the old equipment. The original lawsuit was stayed because NCIX was bankrupt. The Judge in the case refused to grant leave for the plaintiff to sue the trustee, Bowra Group, citing 'unreliable' proof of data breach. The Judge in the case had cited a significant number of deficiencies in the evidence presented amounting most of it to hearsay and belief (as not fact). At the same time, an RCMP case opened to investigate the breach was closed without charges being recommended. The plaintiff's lawyer had intended to proceed with a modified version of the proposed class action against the auctioneer and NCIX's landlord. However, due to the ruling by the judge, it would not be possible to submit a modified case, saying he "has not acknowledged any deficiencies" in his evidence. https://www.cbc.ca/news/canada/british-columbia/court-blocks-class-action-against-bankrupt-computer-firm-citing-unreliable-proof-of-data-breach-1.4964076

--- deleted ---

Wow, I didn't know that. That's even scarier. The impact of this just keeps getting more severe.

Contact the Government (Service Canada) immediately. And probably consider legal options. Maybe a class action is something that could happen in the future? Though IANAL so YMMV

Generally, The standard practice is to destroy storage media on the hardware being sold. It's just what you do if you are halfway professional. Not everyone is, lots of people are just lazy, but that doesn't excuse it. They don't get a pass because 'it happens all the time'.

You're right it is a lot to process. I can work on a summary here in a bit.

This is in many ways the single worst thing that could have possibly happened in a data breach scenario... employee INCOME TAX records are now out there - income, SSN's, home addresses... Not to mention customer transaction and CC data... This could ruin lives.

Seems like EVERYTHING was, most of what was part of this breach seems to be data that was on hardware liquidated from their East coast data centre due to non-payment of rent, as well as desktop equipment and servers from all over NCIX's properties. It would not surprise me if there is even more stuff that was not part of this specific breach but was thrown to the wind, regardless.

Edit: This has grown a bit, so I am going to modify the post to add more info from the article to make it easier to parse: This is an important thing for anyone who interacts with e-commerce retailers. As the web evolves sites open and close, some big, some small. When the big ones fall, what happens to your data? In one very big and public case the worst thing that could happen, happened. If you've ever bought anything on NCIX before it went defunct, worth a read. Especially important considering Linus's history with NCIX - perhaps some of his own data is breached as part of this brokering. https://www.privacyfly.com/articles/ncix_breach/ --- Sort of a TL;DR: On August 1, 2018, A Craigslist ad was discovered purporting to be selling two servers, one a Database Server from the now-defunct NCIX and another, a Database Reporting Server. The seller claimed to have acquired both from Vancouver based Able Auction’s. After some back and forth, a meeting was arranged where the data could be viewed. The server contained some XML documents with usernames and passwords and database references but no data. When inquired the person selling stated the had the network storage as well as NCIX’s entire server farm from the east coast which was shipped back to their Richmond warehouse several months previous. Which was only the beginning... As the story developed, the source of quite a bit of the information came to light: A further ~300 desktop computers from NCIX’s corporate offices and retails stores, 8 DELL PowerEdge servers, as well as at least two Supermicro server’s running StarWind iSCSI Software as backup servers. There were also 109 Hard Disks pulled from auctioned servers. Also, and this is something VERY important for those who have ever had computer repairs done at NCIX: A large pallet of 400-500 used hard drives from various manufacturers. Let that bit sink in. CUSTOMER's PERSONAL data. In another face-to-face meeting, more data was reviewed on some of the SuperMicro servers, as well as the Desktop machines used by NCIX staff. On the desktop and discovered that it was used by a former NCIX employee named Chadwick Ma. The computer contained a treasure trove of confidential data including credentials, invoices, photographs of customers ID’s, Bills, and Mr. Ma’s T4 among other files. It was safe to assume the other desktops probably contained even more information about other employees. On the SuperMicro backup server: A rundown of the types of information contained in the UNENCRYPTED storage and databases: nciwww database contained a thousand records from affiliates listing plain text passwords, addresses, names, and some financial data Customer service inquiries including messages and contact information three hundred eighty-five thousand names, serial numbers with dates of purchase, addresses, company names, email addresses, phone numbers, IP addresses and unsalted MD5 hashed passwords. full credit card payment details in plain text for two hundred and fifty-eight thousand users between various tables. OrdersSql_Data, it contained many versions going back 15 years with the most recent dated in 2017. The version I opened contained three million, eight hundred forty-eight thousand records covering January 2007 through July 2010. Contents included names, company names, items purchased with serial numbers, addresses, phone numbers, and payment data. Financing programs Employee records Vendor pricing Confidential company emails Source Code intellectual property from NCIX’s ventures into manufacturing Other confidential data The final important bit about what was really happening to the data and that it was really and truely up for sale to the highest bidder: Please, let's not underestimate the impact here. Not only does this effect if you've purchased hardware from NCIX at any point in the last 15 years. This impacts if you have ever worked for NCIX as an employee or contractor. If you've ever had a vendor agreement with them, if you've ever communicated with them in any way, if you've received service from them in the form of repairs, especially up to the point where they declared bankruptcy. Your confidential and personal information is blown to the wind. Depending on your relationship to them the damage goes from inconvenient to outright life changing.