SirRemog

Seems like EVERYTHING was, most of what was part of this breach seems to be data that was on hardware liquidated from their East coast data centre due to non-payment of rent, as well as desktop equipment and servers from all over NCIX's properties. 
 
It would not surprise me if there is even more stuff that was not part of this specific breach but was thrown to the wind, regardless. 

Generally, The standard practice is to destroy storage media on the hardware being sold. It's just what you do if you are halfway professional. Not everyone is, lots of people are just lazy, but that doesn't excuse it. They don't get a pass because 'it happens all the time'.

This is in many ways the single worst thing that could have possibly happened in a data breach scenario... employee INCOME TAX records are now out there - income, SSN's, home addresses... Not to mention customer transaction and CC data... This could ruin lives. 

Seems like EVERYTHING was, most of what was part of this breach seems to be data that was on hardware liquidated from their East coast data centre due to non-payment of rent, as well as desktop equipment and servers from all over NCIX's properties. 
 
It would not surprise me if there is even more stuff that was not part of this specific breach but was thrown to the wind, regardless. 

Edit: This has grown a bit, so I am going to modify the post to add more info from the article to make it easier to parse:
 
This is an important thing for anyone who interacts with e-commerce retailers. As the web evolves sites open and close, some big, some small. When the big ones fall, what happens to your data?
 
In one very big and public case the worst thing that could happen, happened.
If you've ever bought anything on NCIX before it went defunct, worth a read.
Especially important considering Linus's history with NCIX - perhaps some of his own data is breached as part of this brokering.
 
 
https://www.privacyfly.com/articles/ncix_breach/
 
--- 
Sort of a TL;DR:

On August 1, 2018, A Craigslist ad was discovered purporting to be selling two servers, one a Database Server from the now-defunct NCIX and another, a Database Reporting Server. The seller claimed to have acquired both from Vancouver based Able Auction’s. After some back and forth, a meeting was arranged where the data could be viewed. 

The server contained some XML documents with usernames and passwords and database references but no data. When inquired the person selling stated the had the network storage as well as NCIX’s entire server farm from the east coast which was shipped back to their Richmond warehouse several months previous. Which was only the beginning... 

As the story developed, the source of quite a bit of the information came to light: 
 
A further ~300 desktop computers from NCIX’s corporate offices and retails stores, 8 DELL PowerEdge servers, as well as at least two Supermicro server’s running StarWind iSCSI Software as backup servers. There were also 109 Hard Disks pulled from auctioned servers. 
 
Also, and this is something VERY important for those who have ever had computer repairs done at NCIX: A large pallet of 400-500 used hard drives from various manufacturers.
Let that bit sink in. CUSTOMER's PERSONAL data. 
 
In another face-to-face meeting, more data was reviewed on some of the SuperMicro servers, as well as the Desktop machines used by NCIX staff. 
 
On the desktop and discovered that it was used by a former NCIX employee named Chadwick Ma. The computer contained a treasure trove of confidential data including credentials, invoices, photographs of customers ID’s, Bills, and Mr. Ma’s T4 among other files. It was safe to assume the other desktops probably contained even more information about other employees. 
 
On the SuperMicro backup server:
A rundown of the types of information contained in the UNENCRYPTED storage and databases: 
nciwww database contained a thousand records from affiliates listing plain text passwords, addresses, names, and some financial data Customer service inquiries including messages and contact information three hundred eighty-five thousand names, serial numbers with dates of purchase, addresses, company names, email addresses, phone numbers, IP addresses and unsalted MD5 hashed passwords. full credit card payment details in plain text for two hundred and fifty-eight thousand users between various tables. OrdersSql_Data, it contained many versions going back 15 years with the most recent dated in 2017. The version I opened contained three million, eight hundred forty-eight thousand records covering January 2007 through July 2010. Contents included names, company names, items purchased with serial numbers, addresses, phone numbers, and payment data. Financing programs Employee records Vendor pricing Confidential company emails  Source Code intellectual property from NCIX’s ventures into manufacturing Other confidential data The final important bit about what was really happening to the data and that it was really and truely up for sale to the highest bidder:
Please, let's not underestimate the impact here. Not only does this effect if you've purchased hardware from NCIX at any point in the last 15 years. This impacts
if you have ever worked for NCIX as an employee or contractor. If you've ever had a vendor agreement with them, if you've ever communicated with them in any way, if you've received service from them in the form of repairs, especially up to the point where they declared bankruptcy. Your confidential and personal information is blown to the wind. Depending on your relationship to them the damage goes from inconvenient to outright life changing.
 

Edit: This has grown a bit, so I am going to modify the post to add more info from the article to make it easier to parse:
 
This is an important thing for anyone who interacts with e-commerce retailers. As the web evolves sites open and close, some big, some small. When the big ones fall, what happens to your data?
 
In one very big and public case the worst thing that could happen, happened.
If you've ever bought anything on NCIX before it went defunct, worth a read.
Especially important considering Linus's history with NCIX - perhaps some of his own data is breached as part of this brokering.
 
 
https://www.privacyfly.com/articles/ncix_breach/
 
--- 
Sort of a TL;DR:

On August 1, 2018, A Craigslist ad was discovered purporting to be selling two servers, one a Database Server from the now-defunct NCIX and another, a Database Reporting Server. The seller claimed to have acquired both from Vancouver based Able Auction’s. After some back and forth, a meeting was arranged where the data could be viewed. 

The server contained some XML documents with usernames and passwords and database references but no data. When inquired the person selling stated the had the network storage as well as NCIX’s entire server farm from the east coast which was shipped back to their Richmond warehouse several months previous. Which was only the beginning... 

As the story developed, the source of quite a bit of the information came to light: 
 
A further ~300 desktop computers from NCIX’s corporate offices and retails stores, 8 DELL PowerEdge servers, as well as at least two Supermicro server’s running StarWind iSCSI Software as backup servers. There were also 109 Hard Disks pulled from auctioned servers. 
 
Also, and this is something VERY important for those who have ever had computer repairs done at NCIX: A large pallet of 400-500 used hard drives from various manufacturers.
Let that bit sink in. CUSTOMER's PERSONAL data. 
 
In another face-to-face meeting, more data was reviewed on some of the SuperMicro servers, as well as the Desktop machines used by NCIX staff. 
 
On the desktop and discovered that it was used by a former NCIX employee named Chadwick Ma. The computer contained a treasure trove of confidential data including credentials, invoices, photographs of customers ID’s, Bills, and Mr. Ma’s T4 among other files. It was safe to assume the other desktops probably contained even more information about other employees. 
 
On the SuperMicro backup server:
A rundown of the types of information contained in the UNENCRYPTED storage and databases: 
nciwww database contained a thousand records from affiliates listing plain text passwords, addresses, names, and some financial data Customer service inquiries including messages and contact information three hundred eighty-five thousand names, serial numbers with dates of purchase, addresses, company names, email addresses, phone numbers, IP addresses and unsalted MD5 hashed passwords. full credit card payment details in plain text for two hundred and fifty-eight thousand users between various tables. OrdersSql_Data, it contained many versions going back 15 years with the most recent dated in 2017. The version I opened contained three million, eight hundred forty-eight thousand records covering January 2007 through July 2010. Contents included names, company names, items purchased with serial numbers, addresses, phone numbers, and payment data. Financing programs Employee records Vendor pricing Confidential company emails  Source Code intellectual property from NCIX’s ventures into manufacturing Other confidential data The final important bit about what was really happening to the data and that it was really and truely up for sale to the highest bidder:
Please, let's not underestimate the impact here. Not only does this effect if you've purchased hardware from NCIX at any point in the last 15 years. This impacts
if you have ever worked for NCIX as an employee or contractor. If you've ever had a vendor agreement with them, if you've ever communicated with them in any way, if you've received service from them in the form of repairs, especially up to the point where they declared bankruptcy. Your confidential and personal information is blown to the wind. Depending on your relationship to them the damage goes from inconvenient to outright life changing.
 

This is in many ways the single worst thing that could have possibly happened in a data breach scenario... employee INCOME TAX records are now out there - income, SSN's, home addresses... Not to mention customer transaction and CC data... This could ruin lives. 

Seems like EVERYTHING was, most of what was part of this breach seems to be data that was on hardware liquidated from their East coast data centre due to non-payment of rent, as well as desktop equipment and servers from all over NCIX's properties. 
 
It would not surprise me if there is even more stuff that was not part of this specific breach but was thrown to the wind, regardless. 

Edit: This has grown a bit, so I am going to modify the post to add more info from the article to make it easier to parse:
 
This is an important thing for anyone who interacts with e-commerce retailers. As the web evolves sites open and close, some big, some small. When the big ones fall, what happens to your data?
 
In one very big and public case the worst thing that could happen, happened.
If you've ever bought anything on NCIX before it went defunct, worth a read.
Especially important considering Linus's history with NCIX - perhaps some of his own data is breached as part of this brokering.
 
 
https://www.privacyfly.com/articles/ncix_breach/
 
--- 
Sort of a TL;DR:

On August 1, 2018, A Craigslist ad was discovered purporting to be selling two servers, one a Database Server from the now-defunct NCIX and another, a Database Reporting Server. The seller claimed to have acquired both from Vancouver based Able Auction’s. After some back and forth, a meeting was arranged where the data could be viewed. 

The server contained some XML documents with usernames and passwords and database references but no data. When inquired the person selling stated the had the network storage as well as NCIX’s entire server farm from the east coast which was shipped back to their Richmond warehouse several months previous. Which was only the beginning... 

As the story developed, the source of quite a bit of the information came to light: 
 
A further ~300 desktop computers from NCIX’s corporate offices and retails stores, 8 DELL PowerEdge servers, as well as at least two Supermicro server’s running StarWind iSCSI Software as backup servers. There were also 109 Hard Disks pulled from auctioned servers. 
 
Also, and this is something VERY important for those who have ever had computer repairs done at NCIX: A large pallet of 400-500 used hard drives from various manufacturers.
Let that bit sink in. CUSTOMER's PERSONAL data. 
 
In another face-to-face meeting, more data was reviewed on some of the SuperMicro servers, as well as the Desktop machines used by NCIX staff. 
 
On the desktop and discovered that it was used by a former NCIX employee named Chadwick Ma. The computer contained a treasure trove of confidential data including credentials, invoices, photographs of customers ID’s, Bills, and Mr. Ma’s T4 among other files. It was safe to assume the other desktops probably contained even more information about other employees. 
 
On the SuperMicro backup server:
A rundown of the types of information contained in the UNENCRYPTED storage and databases: 
nciwww database contained a thousand records from affiliates listing plain text passwords, addresses, names, and some financial data Customer service inquiries including messages and contact information three hundred eighty-five thousand names, serial numbers with dates of purchase, addresses, company names, email addresses, phone numbers, IP addresses and unsalted MD5 hashed passwords. full credit card payment details in plain text for two hundred and fifty-eight thousand users between various tables. OrdersSql_Data, it contained many versions going back 15 years with the most recent dated in 2017. The version I opened contained three million, eight hundred forty-eight thousand records covering January 2007 through July 2010. Contents included names, company names, items purchased with serial numbers, addresses, phone numbers, and payment data. Financing programs Employee records Vendor pricing Confidential company emails  Source Code intellectual property from NCIX’s ventures into manufacturing Other confidential data The final important bit about what was really happening to the data and that it was really and truely up for sale to the highest bidder:
Please, let's not underestimate the impact here. Not only does this effect if you've purchased hardware from NCIX at any point in the last 15 years. This impacts
if you have ever worked for NCIX as an employee or contractor. If you've ever had a vendor agreement with them, if you've ever communicated with them in any way, if you've received service from them in the form of repairs, especially up to the point where they declared bankruptcy. Your confidential and personal information is blown to the wind. Depending on your relationship to them the damage goes from inconvenient to outright life changing.
 

Edit: This has grown a bit, so I am going to modify the post to add more info from the article to make it easier to parse:
 
This is an important thing for anyone who interacts with e-commerce retailers. As the web evolves sites open and close, some big, some small. When the big ones fall, what happens to your data?
 
In one very big and public case the worst thing that could happen, happened.
If you've ever bought anything on NCIX before it went defunct, worth a read.
Especially important considering Linus's history with NCIX - perhaps some of his own data is breached as part of this brokering.
 
 
https://www.privacyfly.com/articles/ncix_breach/
 
--- 
Sort of a TL;DR:

On August 1, 2018, A Craigslist ad was discovered purporting to be selling two servers, one a Database Server from the now-defunct NCIX and another, a Database Reporting Server. The seller claimed to have acquired both from Vancouver based Able Auction’s. After some back and forth, a meeting was arranged where the data could be viewed. 

The server contained some XML documents with usernames and passwords and database references but no data. When inquired the person selling stated the had the network storage as well as NCIX’s entire server farm from the east coast which was shipped back to their Richmond warehouse several months previous. Which was only the beginning... 

As the story developed, the source of quite a bit of the information came to light: 
 
A further ~300 desktop computers from NCIX’s corporate offices and retails stores, 8 DELL PowerEdge servers, as well as at least two Supermicro server’s running StarWind iSCSI Software as backup servers. There were also 109 Hard Disks pulled from auctioned servers. 
 
Also, and this is something VERY important for those who have ever had computer repairs done at NCIX: A large pallet of 400-500 used hard drives from various manufacturers.
Let that bit sink in. CUSTOMER's PERSONAL data. 
 
In another face-to-face meeting, more data was reviewed on some of the SuperMicro servers, as well as the Desktop machines used by NCIX staff. 
 
On the desktop and discovered that it was used by a former NCIX employee named Chadwick Ma. The computer contained a treasure trove of confidential data including credentials, invoices, photographs of customers ID’s, Bills, and Mr. Ma’s T4 among other files. It was safe to assume the other desktops probably contained even more information about other employees. 
 
On the SuperMicro backup server:
A rundown of the types of information contained in the UNENCRYPTED storage and databases: 
nciwww database contained a thousand records from affiliates listing plain text passwords, addresses, names, and some financial data Customer service inquiries including messages and contact information three hundred eighty-five thousand names, serial numbers with dates of purchase, addresses, company names, email addresses, phone numbers, IP addresses and unsalted MD5 hashed passwords. full credit card payment details in plain text for two hundred and fifty-eight thousand users between various tables. OrdersSql_Data, it contained many versions going back 15 years with the most recent dated in 2017. The version I opened contained three million, eight hundred forty-eight thousand records covering January 2007 through July 2010. Contents included names, company names, items purchased with serial numbers, addresses, phone numbers, and payment data. Financing programs Employee records Vendor pricing Confidential company emails  Source Code intellectual property from NCIX’s ventures into manufacturing Other confidential data The final important bit about what was really happening to the data and that it was really and truely up for sale to the highest bidder:
Please, let's not underestimate the impact here. Not only does this effect if you've purchased hardware from NCIX at any point in the last 15 years. This impacts
if you have ever worked for NCIX as an employee or contractor. If you've ever had a vendor agreement with them, if you've ever communicated with them in any way, if you've received service from them in the form of repairs, especially up to the point where they declared bankruptcy. Your confidential and personal information is blown to the wind. Depending on your relationship to them the damage goes from inconvenient to outright life changing.
 

Edit: This has grown a bit, so I am going to modify the post to add more info from the article to make it easier to parse:
 
This is an important thing for anyone who interacts with e-commerce retailers. As the web evolves sites open and close, some big, some small. When the big ones fall, what happens to your data?
 
In one very big and public case the worst thing that could happen, happened.
If you've ever bought anything on NCIX before it went defunct, worth a read.
Especially important considering Linus's history with NCIX - perhaps some of his own data is breached as part of this brokering.
 
 
https://www.privacyfly.com/articles/ncix_breach/
 
--- 
Sort of a TL;DR:

On August 1, 2018, A Craigslist ad was discovered purporting to be selling two servers, one a Database Server from the now-defunct NCIX and another, a Database Reporting Server. The seller claimed to have acquired both from Vancouver based Able Auction’s. After some back and forth, a meeting was arranged where the data could be viewed. 

The server contained some XML documents with usernames and passwords and database references but no data. When inquired the person selling stated the had the network storage as well as NCIX’s entire server farm from the east coast which was shipped back to their Richmond warehouse several months previous. Which was only the beginning... 

As the story developed, the source of quite a bit of the information came to light: 
 
A further ~300 desktop computers from NCIX’s corporate offices and retails stores, 8 DELL PowerEdge servers, as well as at least two Supermicro server’s running StarWind iSCSI Software as backup servers. There were also 109 Hard Disks pulled from auctioned servers. 
 
Also, and this is something VERY important for those who have ever had computer repairs done at NCIX: A large pallet of 400-500 used hard drives from various manufacturers.
Let that bit sink in. CUSTOMER's PERSONAL data. 
 
In another face-to-face meeting, more data was reviewed on some of the SuperMicro servers, as well as the Desktop machines used by NCIX staff. 
 
On the desktop and discovered that it was used by a former NCIX employee named Chadwick Ma. The computer contained a treasure trove of confidential data including credentials, invoices, photographs of customers ID’s, Bills, and Mr. Ma’s T4 among other files. It was safe to assume the other desktops probably contained even more information about other employees. 
 
On the SuperMicro backup server:
A rundown of the types of information contained in the UNENCRYPTED storage and databases: 
nciwww database contained a thousand records from affiliates listing plain text passwords, addresses, names, and some financial data Customer service inquiries including messages and contact information three hundred eighty-five thousand names, serial numbers with dates of purchase, addresses, company names, email addresses, phone numbers, IP addresses and unsalted MD5 hashed passwords. full credit card payment details in plain text for two hundred and fifty-eight thousand users between various tables. OrdersSql_Data, it contained many versions going back 15 years with the most recent dated in 2017. The version I opened contained three million, eight hundred forty-eight thousand records covering January 2007 through July 2010. Contents included names, company names, items purchased with serial numbers, addresses, phone numbers, and payment data. Financing programs Employee records Vendor pricing Confidential company emails  Source Code intellectual property from NCIX’s ventures into manufacturing Other confidential data The final important bit about what was really happening to the data and that it was really and truely up for sale to the highest bidder:
Please, let's not underestimate the impact here. Not only does this effect if you've purchased hardware from NCIX at any point in the last 15 years. This impacts
if you have ever worked for NCIX as an employee or contractor. If you've ever had a vendor agreement with them, if you've ever communicated with them in any way, if you've received service from them in the form of repairs, especially up to the point where they declared bankruptcy. Your confidential and personal information is blown to the wind. Depending on your relationship to them the damage goes from inconvenient to outright life changing.
 

Edit: This has grown a bit, so I am going to modify the post to add more info from the article to make it easier to parse:
 
This is an important thing for anyone who interacts with e-commerce retailers. As the web evolves sites open and close, some big, some small. When the big ones fall, what happens to your data?
 
In one very big and public case the worst thing that could happen, happened.
If you've ever bought anything on NCIX before it went defunct, worth a read.
Especially important considering Linus's history with NCIX - perhaps some of his own data is breached as part of this brokering.
 
 
https://www.privacyfly.com/articles/ncix_breach/
 
--- 
Sort of a TL;DR:

On August 1, 2018, A Craigslist ad was discovered purporting to be selling two servers, one a Database Server from the now-defunct NCIX and another, a Database Reporting Server. The seller claimed to have acquired both from Vancouver based Able Auction’s. After some back and forth, a meeting was arranged where the data could be viewed. 

The server contained some XML documents with usernames and passwords and database references but no data. When inquired the person selling stated the had the network storage as well as NCIX’s entire server farm from the east coast which was shipped back to their Richmond warehouse several months previous. Which was only the beginning... 

As the story developed, the source of quite a bit of the information came to light: 
 
A further ~300 desktop computers from NCIX’s corporate offices and retails stores, 8 DELL PowerEdge servers, as well as at least two Supermicro server’s running StarWind iSCSI Software as backup servers. There were also 109 Hard Disks pulled from auctioned servers. 
 
Also, and this is something VERY important for those who have ever had computer repairs done at NCIX: A large pallet of 400-500 used hard drives from various manufacturers.
Let that bit sink in. CUSTOMER's PERSONAL data. 
 
In another face-to-face meeting, more data was reviewed on some of the SuperMicro servers, as well as the Desktop machines used by NCIX staff. 
 
On the desktop and discovered that it was used by a former NCIX employee named Chadwick Ma. The computer contained a treasure trove of confidential data including credentials, invoices, photographs of customers ID’s, Bills, and Mr. Ma’s T4 among other files. It was safe to assume the other desktops probably contained even more information about other employees. 
 
On the SuperMicro backup server:
A rundown of the types of information contained in the UNENCRYPTED storage and databases: 
nciwww database contained a thousand records from affiliates listing plain text passwords, addresses, names, and some financial data Customer service inquiries including messages and contact information three hundred eighty-five thousand names, serial numbers with dates of purchase, addresses, company names, email addresses, phone numbers, IP addresses and unsalted MD5 hashed passwords. full credit card payment details in plain text for two hundred and fifty-eight thousand users between various tables. OrdersSql_Data, it contained many versions going back 15 years with the most recent dated in 2017. The version I opened contained three million, eight hundred forty-eight thousand records covering January 2007 through July 2010. Contents included names, company names, items purchased with serial numbers, addresses, phone numbers, and payment data. Financing programs Employee records Vendor pricing Confidential company emails  Source Code intellectual property from NCIX’s ventures into manufacturing Other confidential data The final important bit about what was really happening to the data and that it was really and truely up for sale to the highest bidder:
Please, let's not underestimate the impact here. Not only does this effect if you've purchased hardware from NCIX at any point in the last 15 years. This impacts
if you have ever worked for NCIX as an employee or contractor. If you've ever had a vendor agreement with them, if you've ever communicated with them in any way, if you've received service from them in the form of repairs, especially up to the point where they declared bankruptcy. Your confidential and personal information is blown to the wind. Depending on your relationship to them the damage goes from inconvenient to outright life changing.
 

Edit: This has grown a bit, so I am going to modify the post to add more info from the article to make it easier to parse:
 
This is an important thing for anyone who interacts with e-commerce retailers. As the web evolves sites open and close, some big, some small. When the big ones fall, what happens to your data?
 
In one very big and public case the worst thing that could happen, happened.
If you've ever bought anything on NCIX before it went defunct, worth a read.
Especially important considering Linus's history with NCIX - perhaps some of his own data is breached as part of this brokering.
 
 
https://www.privacyfly.com/articles/ncix_breach/
 
--- 
Sort of a TL;DR:

On August 1, 2018, A Craigslist ad was discovered purporting to be selling two servers, one a Database Server from the now-defunct NCIX and another, a Database Reporting Server. The seller claimed to have acquired both from Vancouver based Able Auction’s. After some back and forth, a meeting was arranged where the data could be viewed. 

The server contained some XML documents with usernames and passwords and database references but no data. When inquired the person selling stated the had the network storage as well as NCIX’s entire server farm from the east coast which was shipped back to their Richmond warehouse several months previous. Which was only the beginning... 

As the story developed, the source of quite a bit of the information came to light: 
 
A further ~300 desktop computers from NCIX’s corporate offices and retails stores, 8 DELL PowerEdge servers, as well as at least two Supermicro server’s running StarWind iSCSI Software as backup servers. There were also 109 Hard Disks pulled from auctioned servers. 
 
Also, and this is something VERY important for those who have ever had computer repairs done at NCIX: A large pallet of 400-500 used hard drives from various manufacturers.
Let that bit sink in. CUSTOMER's PERSONAL data. 
 
In another face-to-face meeting, more data was reviewed on some of the SuperMicro servers, as well as the Desktop machines used by NCIX staff. 
 
On the desktop and discovered that it was used by a former NCIX employee named Chadwick Ma. The computer contained a treasure trove of confidential data including credentials, invoices, photographs of customers ID’s, Bills, and Mr. Ma’s T4 among other files. It was safe to assume the other desktops probably contained even more information about other employees. 
 
On the SuperMicro backup server:
A rundown of the types of information contained in the UNENCRYPTED storage and databases: 
nciwww database contained a thousand records from affiliates listing plain text passwords, addresses, names, and some financial data Customer service inquiries including messages and contact information three hundred eighty-five thousand names, serial numbers with dates of purchase, addresses, company names, email addresses, phone numbers, IP addresses and unsalted MD5 hashed passwords. full credit card payment details in plain text for two hundred and fifty-eight thousand users between various tables. OrdersSql_Data, it contained many versions going back 15 years with the most recent dated in 2017. The version I opened contained three million, eight hundred forty-eight thousand records covering January 2007 through July 2010. Contents included names, company names, items purchased with serial numbers, addresses, phone numbers, and payment data. Financing programs Employee records Vendor pricing Confidential company emails  Source Code intellectual property from NCIX’s ventures into manufacturing Other confidential data The final important bit about what was really happening to the data and that it was really and truely up for sale to the highest bidder:
Please, let's not underestimate the impact here. Not only does this effect if you've purchased hardware from NCIX at any point in the last 15 years. This impacts
if you have ever worked for NCIX as an employee or contractor. If you've ever had a vendor agreement with them, if you've ever communicated with them in any way, if you've received service from them in the form of repairs, especially up to the point where they declared bankruptcy. Your confidential and personal information is blown to the wind. Depending on your relationship to them the damage goes from inconvenient to outright life changing.
 

This is being more widely reported now and has been picked by The Register.
 

Generally, The standard practice is to destroy storage media on the hardware being sold. It's just what you do if you are halfway professional. Not everyone is, lots of people are just lazy, but that doesn't excuse it. They don't get a pass because 'it happens all the time'.

Generally, The standard practice is to destroy storage media on the hardware being sold. It's just what you do if you are halfway professional. Not everyone is, lots of people are just lazy, but that doesn't excuse it. They don't get a pass because 'it happens all the time'.

Edit: This has grown a bit, so I am going to modify the post to add more info from the article to make it easier to parse:
 
This is an important thing for anyone who interacts with e-commerce retailers. As the web evolves sites open and close, some big, some small. When the big ones fall, what happens to your data?
 
In one very big and public case the worst thing that could happen, happened.
If you've ever bought anything on NCIX before it went defunct, worth a read.
Especially important considering Linus's history with NCIX - perhaps some of his own data is breached as part of this brokering.
 
 
https://www.privacyfly.com/articles/ncix_breach/
 
--- 
Sort of a TL;DR:

On August 1, 2018, A Craigslist ad was discovered purporting to be selling two servers, one a Database Server from the now-defunct NCIX and another, a Database Reporting Server. The seller claimed to have acquired both from Vancouver based Able Auction’s. After some back and forth, a meeting was arranged where the data could be viewed. 

The server contained some XML documents with usernames and passwords and database references but no data. When inquired the person selling stated the had the network storage as well as NCIX’s entire server farm from the east coast which was shipped back to their Richmond warehouse several months previous. Which was only the beginning... 

As the story developed, the source of quite a bit of the information came to light: 
 
A further ~300 desktop computers from NCIX’s corporate offices and retails stores, 8 DELL PowerEdge servers, as well as at least two Supermicro server’s running StarWind iSCSI Software as backup servers. There were also 109 Hard Disks pulled from auctioned servers. 
 
Also, and this is something VERY important for those who have ever had computer repairs done at NCIX: A large pallet of 400-500 used hard drives from various manufacturers.
Let that bit sink in. CUSTOMER's PERSONAL data. 
 
In another face-to-face meeting, more data was reviewed on some of the SuperMicro servers, as well as the Desktop machines used by NCIX staff. 
 
On the desktop and discovered that it was used by a former NCIX employee named Chadwick Ma. The computer contained a treasure trove of confidential data including credentials, invoices, photographs of customers ID’s, Bills, and Mr. Ma’s T4 among other files. It was safe to assume the other desktops probably contained even more information about other employees. 
 
On the SuperMicro backup server:
A rundown of the types of information contained in the UNENCRYPTED storage and databases: 
nciwww database contained a thousand records from affiliates listing plain text passwords, addresses, names, and some financial data Customer service inquiries including messages and contact information three hundred eighty-five thousand names, serial numbers with dates of purchase, addresses, company names, email addresses, phone numbers, IP addresses and unsalted MD5 hashed passwords. full credit card payment details in plain text for two hundred and fifty-eight thousand users between various tables. OrdersSql_Data, it contained many versions going back 15 years with the most recent dated in 2017. The version I opened contained three million, eight hundred forty-eight thousand records covering January 2007 through July 2010. Contents included names, company names, items purchased with serial numbers, addresses, phone numbers, and payment data. Financing programs Employee records Vendor pricing Confidential company emails  Source Code intellectual property from NCIX’s ventures into manufacturing Other confidential data The final important bit about what was really happening to the data and that it was really and truely up for sale to the highest bidder:
Please, let's not underestimate the impact here. Not only does this effect if you've purchased hardware from NCIX at any point in the last 15 years. This impacts
if you have ever worked for NCIX as an employee or contractor. If you've ever had a vendor agreement with them, if you've ever communicated with them in any way, if you've received service from them in the form of repairs, especially up to the point where they declared bankruptcy. Your confidential and personal information is blown to the wind. Depending on your relationship to them the damage goes from inconvenient to outright life changing.
 

Edit: This has grown a bit, so I am going to modify the post to add more info from the article to make it easier to parse:
 
This is an important thing for anyone who interacts with e-commerce retailers. As the web evolves sites open and close, some big, some small. When the big ones fall, what happens to your data?
 
In one very big and public case the worst thing that could happen, happened.
If you've ever bought anything on NCIX before it went defunct, worth a read.
Especially important considering Linus's history with NCIX - perhaps some of his own data is breached as part of this brokering.
 
 
https://www.privacyfly.com/articles/ncix_breach/
 
--- 
Sort of a TL;DR:

On August 1, 2018, A Craigslist ad was discovered purporting to be selling two servers, one a Database Server from the now-defunct NCIX and another, a Database Reporting Server. The seller claimed to have acquired both from Vancouver based Able Auction’s. After some back and forth, a meeting was arranged where the data could be viewed. 

The server contained some XML documents with usernames and passwords and database references but no data. When inquired the person selling stated the had the network storage as well as NCIX’s entire server farm from the east coast which was shipped back to their Richmond warehouse several months previous. Which was only the beginning... 

As the story developed, the source of quite a bit of the information came to light: 
 
A further ~300 desktop computers from NCIX’s corporate offices and retails stores, 8 DELL PowerEdge servers, as well as at least two Supermicro server’s running StarWind iSCSI Software as backup servers. There were also 109 Hard Disks pulled from auctioned servers. 
 
Also, and this is something VERY important for those who have ever had computer repairs done at NCIX: A large pallet of 400-500 used hard drives from various manufacturers.
Let that bit sink in. CUSTOMER's PERSONAL data. 
 
In another face-to-face meeting, more data was reviewed on some of the SuperMicro servers, as well as the Desktop machines used by NCIX staff. 
 
On the desktop and discovered that it was used by a former NCIX employee named Chadwick Ma. The computer contained a treasure trove of confidential data including credentials, invoices, photographs of customers ID’s, Bills, and Mr. Ma’s T4 among other files. It was safe to assume the other desktops probably contained even more information about other employees. 
 
On the SuperMicro backup server:
A rundown of the types of information contained in the UNENCRYPTED storage and databases: 
nciwww database contained a thousand records from affiliates listing plain text passwords, addresses, names, and some financial data Customer service inquiries including messages and contact information three hundred eighty-five thousand names, serial numbers with dates of purchase, addresses, company names, email addresses, phone numbers, IP addresses and unsalted MD5 hashed passwords. full credit card payment details in plain text for two hundred and fifty-eight thousand users between various tables. OrdersSql_Data, it contained many versions going back 15 years with the most recent dated in 2017. The version I opened contained three million, eight hundred forty-eight thousand records covering January 2007 through July 2010. Contents included names, company names, items purchased with serial numbers, addresses, phone numbers, and payment data. Financing programs Employee records Vendor pricing Confidential company emails  Source Code intellectual property from NCIX’s ventures into manufacturing Other confidential data The final important bit about what was really happening to the data and that it was really and truely up for sale to the highest bidder:
Please, let's not underestimate the impact here. Not only does this effect if you've purchased hardware from NCIX at any point in the last 15 years. This impacts
if you have ever worked for NCIX as an employee or contractor. If you've ever had a vendor agreement with them, if you've ever communicated with them in any way, if you've received service from them in the form of repairs, especially up to the point where they declared bankruptcy. Your confidential and personal information is blown to the wind. Depending on your relationship to them the damage goes from inconvenient to outright life changing.
 

Edit: This has grown a bit, so I am going to modify the post to add more info from the article to make it easier to parse:
 
This is an important thing for anyone who interacts with e-commerce retailers. As the web evolves sites open and close, some big, some small. When the big ones fall, what happens to your data?
 
In one very big and public case the worst thing that could happen, happened.
If you've ever bought anything on NCIX before it went defunct, worth a read.
Especially important considering Linus's history with NCIX - perhaps some of his own data is breached as part of this brokering.
 
 
https://www.privacyfly.com/articles/ncix_breach/
 
--- 
Sort of a TL;DR:

On August 1, 2018, A Craigslist ad was discovered purporting to be selling two servers, one a Database Server from the now-defunct NCIX and another, a Database Reporting Server. The seller claimed to have acquired both from Vancouver based Able Auction’s. After some back and forth, a meeting was arranged where the data could be viewed. 

The server contained some XML documents with usernames and passwords and database references but no data. When inquired the person selling stated the had the network storage as well as NCIX’s entire server farm from the east coast which was shipped back to their Richmond warehouse several months previous. Which was only the beginning... 

As the story developed, the source of quite a bit of the information came to light: 
 
A further ~300 desktop computers from NCIX’s corporate offices and retails stores, 8 DELL PowerEdge servers, as well as at least two Supermicro server’s running StarWind iSCSI Software as backup servers. There were also 109 Hard Disks pulled from auctioned servers. 
 
Also, and this is something VERY important for those who have ever had computer repairs done at NCIX: A large pallet of 400-500 used hard drives from various manufacturers.
Let that bit sink in. CUSTOMER's PERSONAL data. 
 
In another face-to-face meeting, more data was reviewed on some of the SuperMicro servers, as well as the Desktop machines used by NCIX staff. 
 
On the desktop and discovered that it was used by a former NCIX employee named Chadwick Ma. The computer contained a treasure trove of confidential data including credentials, invoices, photographs of customers ID’s, Bills, and Mr. Ma’s T4 among other files. It was safe to assume the other desktops probably contained even more information about other employees. 
 
On the SuperMicro backup server:
A rundown of the types of information contained in the UNENCRYPTED storage and databases: 
nciwww database contained a thousand records from affiliates listing plain text passwords, addresses, names, and some financial data Customer service inquiries including messages and contact information three hundred eighty-five thousand names, serial numbers with dates of purchase, addresses, company names, email addresses, phone numbers, IP addresses and unsalted MD5 hashed passwords. full credit card payment details in plain text for two hundred and fifty-eight thousand users between various tables. OrdersSql_Data, it contained many versions going back 15 years with the most recent dated in 2017. The version I opened contained three million, eight hundred forty-eight thousand records covering January 2007 through July 2010. Contents included names, company names, items purchased with serial numbers, addresses, phone numbers, and payment data. Financing programs Employee records Vendor pricing Confidential company emails  Source Code intellectual property from NCIX’s ventures into manufacturing Other confidential data The final important bit about what was really happening to the data and that it was really and truely up for sale to the highest bidder:
Please, let's not underestimate the impact here. Not only does this effect if you've purchased hardware from NCIX at any point in the last 15 years. This impacts
if you have ever worked for NCIX as an employee or contractor. If you've ever had a vendor agreement with them, if you've ever communicated with them in any way, if you've received service from them in the form of repairs, especially up to the point where they declared bankruptcy. Your confidential and personal information is blown to the wind. Depending on your relationship to them the damage goes from inconvenient to outright life changing.
 

Edit: This has grown a bit, so I am going to modify the post to add more info from the article to make it easier to parse:
 
This is an important thing for anyone who interacts with e-commerce retailers. As the web evolves sites open and close, some big, some small. When the big ones fall, what happens to your data?
 
In one very big and public case the worst thing that could happen, happened.
If you've ever bought anything on NCIX before it went defunct, worth a read.
Especially important considering Linus's history with NCIX - perhaps some of his own data is breached as part of this brokering.
 
 
https://www.privacyfly.com/articles/ncix_breach/
 
--- 
Sort of a TL;DR:

On August 1, 2018, A Craigslist ad was discovered purporting to be selling two servers, one a Database Server from the now-defunct NCIX and another, a Database Reporting Server. The seller claimed to have acquired both from Vancouver based Able Auction’s. After some back and forth, a meeting was arranged where the data could be viewed. 

The server contained some XML documents with usernames and passwords and database references but no data. When inquired the person selling stated the had the network storage as well as NCIX’s entire server farm from the east coast which was shipped back to their Richmond warehouse several months previous. Which was only the beginning... 

As the story developed, the source of quite a bit of the information came to light: 
 
A further ~300 desktop computers from NCIX’s corporate offices and retails stores, 8 DELL PowerEdge servers, as well as at least two Supermicro server’s running StarWind iSCSI Software as backup servers. There were also 109 Hard Disks pulled from auctioned servers. 
 
Also, and this is something VERY important for those who have ever had computer repairs done at NCIX: A large pallet of 400-500 used hard drives from various manufacturers.
Let that bit sink in. CUSTOMER's PERSONAL data. 
 
In another face-to-face meeting, more data was reviewed on some of the SuperMicro servers, as well as the Desktop machines used by NCIX staff. 
 
On the desktop and discovered that it was used by a former NCIX employee named Chadwick Ma. The computer contained a treasure trove of confidential data including credentials, invoices, photographs of customers ID’s, Bills, and Mr. Ma’s T4 among other files. It was safe to assume the other desktops probably contained even more information about other employees. 
 
On the SuperMicro backup server:
A rundown of the types of information contained in the UNENCRYPTED storage and databases: 
nciwww database contained a thousand records from affiliates listing plain text passwords, addresses, names, and some financial data Customer service inquiries including messages and contact information three hundred eighty-five thousand names, serial numbers with dates of purchase, addresses, company names, email addresses, phone numbers, IP addresses and unsalted MD5 hashed passwords. full credit card payment details in plain text for two hundred and fifty-eight thousand users between various tables. OrdersSql_Data, it contained many versions going back 15 years with the most recent dated in 2017. The version I opened contained three million, eight hundred forty-eight thousand records covering January 2007 through July 2010. Contents included names, company names, items purchased with serial numbers, addresses, phone numbers, and payment data. Financing programs Employee records Vendor pricing Confidential company emails  Source Code intellectual property from NCIX’s ventures into manufacturing Other confidential data The final important bit about what was really happening to the data and that it was really and truely up for sale to the highest bidder:
Please, let's not underestimate the impact here. Not only does this effect if you've purchased hardware from NCIX at any point in the last 15 years. This impacts
if you have ever worked for NCIX as an employee or contractor. If you've ever had a vendor agreement with them, if you've ever communicated with them in any way, if you've received service from them in the form of repairs, especially up to the point where they declared bankruptcy. Your confidential and personal information is blown to the wind. Depending on your relationship to them the damage goes from inconvenient to outright life changing.
 

Edit: This has grown a bit, so I am going to modify the post to add more info from the article to make it easier to parse:
 
This is an important thing for anyone who interacts with e-commerce retailers. As the web evolves sites open and close, some big, some small. When the big ones fall, what happens to your data?
 
In one very big and public case the worst thing that could happen, happened.
If you've ever bought anything on NCIX before it went defunct, worth a read.
Especially important considering Linus's history with NCIX - perhaps some of his own data is breached as part of this brokering.
 
 
https://www.privacyfly.com/articles/ncix_breach/
 
--- 
Sort of a TL;DR:

On August 1, 2018, A Craigslist ad was discovered purporting to be selling two servers, one a Database Server from the now-defunct NCIX and another, a Database Reporting Server. The seller claimed to have acquired both from Vancouver based Able Auction’s. After some back and forth, a meeting was arranged where the data could be viewed. 

The server contained some XML documents with usernames and passwords and database references but no data. When inquired the person selling stated the had the network storage as well as NCIX’s entire server farm from the east coast which was shipped back to their Richmond warehouse several months previous. Which was only the beginning... 

As the story developed, the source of quite a bit of the information came to light: 
 
A further ~300 desktop computers from NCIX’s corporate offices and retails stores, 8 DELL PowerEdge servers, as well as at least two Supermicro server’s running StarWind iSCSI Software as backup servers. There were also 109 Hard Disks pulled from auctioned servers. 
 
Also, and this is something VERY important for those who have ever had computer repairs done at NCIX: A large pallet of 400-500 used hard drives from various manufacturers.
Let that bit sink in. CUSTOMER's PERSONAL data. 
 
In another face-to-face meeting, more data was reviewed on some of the SuperMicro servers, as well as the Desktop machines used by NCIX staff. 
 
On the desktop and discovered that it was used by a former NCIX employee named Chadwick Ma. The computer contained a treasure trove of confidential data including credentials, invoices, photographs of customers ID’s, Bills, and Mr. Ma’s T4 among other files. It was safe to assume the other desktops probably contained even more information about other employees. 
 
On the SuperMicro backup server:
A rundown of the types of information contained in the UNENCRYPTED storage and databases: 
nciwww database contained a thousand records from affiliates listing plain text passwords, addresses, names, and some financial data Customer service inquiries including messages and contact information three hundred eighty-five thousand names, serial numbers with dates of purchase, addresses, company names, email addresses, phone numbers, IP addresses and unsalted MD5 hashed passwords. full credit card payment details in plain text for two hundred and fifty-eight thousand users between various tables. OrdersSql_Data, it contained many versions going back 15 years with the most recent dated in 2017. The version I opened contained three million, eight hundred forty-eight thousand records covering January 2007 through July 2010. Contents included names, company names, items purchased with serial numbers, addresses, phone numbers, and payment data. Financing programs Employee records Vendor pricing Confidential company emails  Source Code intellectual property from NCIX’s ventures into manufacturing Other confidential data The final important bit about what was really happening to the data and that it was really and truely up for sale to the highest bidder:
Please, let's not underestimate the impact here. Not only does this effect if you've purchased hardware from NCIX at any point in the last 15 years. This impacts
if you have ever worked for NCIX as an employee or contractor. If you've ever had a vendor agreement with them, if you've ever communicated with them in any way, if you've received service from them in the form of repairs, especially up to the point where they declared bankruptcy. Your confidential and personal information is blown to the wind. Depending on your relationship to them the damage goes from inconvenient to outright life changing.
 

Edit: This has grown a bit, so I am going to modify the post to add more info from the article to make it easier to parse:
 
This is an important thing for anyone who interacts with e-commerce retailers. As the web evolves sites open and close, some big, some small. When the big ones fall, what happens to your data?
 
In one very big and public case the worst thing that could happen, happened.
If you've ever bought anything on NCIX before it went defunct, worth a read.
Especially important considering Linus's history with NCIX - perhaps some of his own data is breached as part of this brokering.
 
 
https://www.privacyfly.com/articles/ncix_breach/
 
--- 
Sort of a TL;DR:

On August 1, 2018, A Craigslist ad was discovered purporting to be selling two servers, one a Database Server from the now-defunct NCIX and another, a Database Reporting Server. The seller claimed to have acquired both from Vancouver based Able Auction’s. After some back and forth, a meeting was arranged where the data could be viewed. 

The server contained some XML documents with usernames and passwords and database references but no data. When inquired the person selling stated the had the network storage as well as NCIX’s entire server farm from the east coast which was shipped back to their Richmond warehouse several months previous. Which was only the beginning... 

As the story developed, the source of quite a bit of the information came to light: 
 
A further ~300 desktop computers from NCIX’s corporate offices and retails stores, 8 DELL PowerEdge servers, as well as at least two Supermicro server’s running StarWind iSCSI Software as backup servers. There were also 109 Hard Disks pulled from auctioned servers. 
 
Also, and this is something VERY important for those who have ever had computer repairs done at NCIX: A large pallet of 400-500 used hard drives from various manufacturers.
Let that bit sink in. CUSTOMER's PERSONAL data. 
 
In another face-to-face meeting, more data was reviewed on some of the SuperMicro servers, as well as the Desktop machines used by NCIX staff. 
 
On the desktop and discovered that it was used by a former NCIX employee named Chadwick Ma. The computer contained a treasure trove of confidential data including credentials, invoices, photographs of customers ID’s, Bills, and Mr. Ma’s T4 among other files. It was safe to assume the other desktops probably contained even more information about other employees. 
 
On the SuperMicro backup server:
A rundown of the types of information contained in the UNENCRYPTED storage and databases: 
nciwww database contained a thousand records from affiliates listing plain text passwords, addresses, names, and some financial data Customer service inquiries including messages and contact information three hundred eighty-five thousand names, serial numbers with dates of purchase, addresses, company names, email addresses, phone numbers, IP addresses and unsalted MD5 hashed passwords. full credit card payment details in plain text for two hundred and fifty-eight thousand users between various tables. OrdersSql_Data, it contained many versions going back 15 years with the most recent dated in 2017. The version I opened contained three million, eight hundred forty-eight thousand records covering January 2007 through July 2010. Contents included names, company names, items purchased with serial numbers, addresses, phone numbers, and payment data. Financing programs Employee records Vendor pricing Confidential company emails  Source Code intellectual property from NCIX’s ventures into manufacturing Other confidential data The final important bit about what was really happening to the data and that it was really and truely up for sale to the highest bidder:
Please, let's not underestimate the impact here. Not only does this effect if you've purchased hardware from NCIX at any point in the last 15 years. This impacts
if you have ever worked for NCIX as an employee or contractor. If you've ever had a vendor agreement with them, if you've ever communicated with them in any way, if you've received service from them in the form of repairs, especially up to the point where they declared bankruptcy. Your confidential and personal information is blown to the wind. Depending on your relationship to them the damage goes from inconvenient to outright life changing.
 

@Aprime on Reddit said he already passed the info along.

Would LOVE to see Linus' take on this, both on the WAN Show as well as a video emphasizing the importance of PCI compliance and data encryption. Maybe that clip from the auction that @rcmaehl screengrabbed could intro that video.

@Remog said it: This could ruin lives.

Just... facepalm.

Whoever did the PCI audits fucked up royally, they might end up being liable if it can be proven they fucked up.