ncix NCIX Data breach 2018

[Arika]

19 minutes ago, asus killer said:

so they are all on NCIS for blame, 

but i like that show

[kirashi]

16 minutes ago, VegetableStu said:

so when is Canada vs the dumb liquidators?

This is exactly my thought. The Bowra Group accepted fully responsibility and liability when they became the trustee during NCIX's bankruptcy. Anyone who had their computer in for repair at NCIX as well as anyone who purchased items or provided any data to NCIX of any kind should be contacting them to find out what action steps are being taken at this moment, because a class action will be brewing, guaranteed.

https://www.bowragroup.com/bowra-netlink-computer

[Master Disaster]

1 hour ago, Ryan_Vickers said:

Ever heard of social engineering or identity theft?  Maybe credit card fraud?

I think he meant the businesses dont care about protecting your data? Admittedly thats not exactly clear from the post.

[LAwLz]

Does someone have a list of times companies have leaked or otherwise inappropriately handled user information?

It seems like it's extremely common and yet people are very willing to give companies a huge amount of personal information because they naively trust the company. Even if you trust that the company don't do anything malicious with the information you give them, the more companies you give information the more likely you are to have your information end up in the wrong hands.

[Master Disaster]

8 minutes ago, LAwLz said:

Does someone have a list of times companies have leaked or otherwise inappropriately handled user information?

It seems like it's extremely common and yet people are very willing to give companies a huge amount of personal information because they naively trust the company. Even if you trust that the company don't do anything malicious with the information you give them, the more companies you give information the more likely you are to have your information end up in the wrong hands.

I won't give anybody anything unless i feel its essential for them to have it.

 

For example why does my ISP need my mobile number? If I have an issue I'll contact them and they have my landline number as they're my ISP. Why does my phone provider need my email address? Why does my gym need my email address.

 

Sometimes people look at me like I'm not all there (even my own family) and I genuinely don't care. It's my information and I'll give it (or not give it) to whoever i damn well choose too.

 

Also - https://haveibeenpwned.com/

[kirashi]

4 minutes ago, LAwLz said:

Does someone have a list of times companies have leaked or otherwise inappropriately handled user information?

It seems like it's extremely common and yet people are very willing to give companies a huge amount of personal information because they naively trust the company. Even if you trust that the company don't do anything malicious with the information you give them, the more companies you give information the more likely you are to have your information end up in the wrong hands.

Yes, simply visit https://haveibeenpwned.com/PwnedWebsites to view a list of all websites that have been breached. The key takeaway here is that ANY system can be breached, given enough time and resources. One way to protect your self from this is to never use any services, but that kind of makes it difficult to even have a simple bank account, let alone browse the internet. The actual way to protect our information is demand companies smarten up with their data protection standards, making ONE-WAY encryption mandatory for ALL sensitive information, and greatly restricting the flow of unencrypted information on a need-to-know basis.

[Spotty]

Quote

August 1, 2018. A rare sunny day in rain ridden Vancouver, British Columbia. Typical of my introverted lifestyle, I found myself

Hmm, little bit sceptical about an article that starts out like this, but I'll go with it to see where it goes...

 

Quote

There were also three hundred eighty-five thousand names, serial numbers with dates of purchase, addresses, company names, email addresses, phone numbers, IP addresses and unsalted MD5 hashed passwords. The database also contained full credit card payment details in plain text for two hundred and fifty-eight thousand users between various tables.

Yikes.
 

Quote

I mounted one image belonging to Steve Wu the founder of NCIX. Inside I found data going back 13 years, financial documents, employment letters containing SIN numbers, and data from Mr. Wu’s home computer

It's not just Linus at LMG that has to worry about this. Quite a few LMG employees are former NCIX staff. You have Linus, Riley, Ivan, Luke, and possibly either Brandon (?) or Edzel (?). Also Linus' sister in law (Yvonne's sister) also worked at NCIX at some point as well. All of them should be very concerned about this breach if what we've seen so far is true.

 

I feel a class action suit is inevitable. At the end of the day who is responsible for this? Would it be the liquidators that sold off the assets that contained this sensitive information?

 

5 minutes ago, LAwLz said:

Does someone have a list of times companies have leaked or otherwise inappropriately handled user information?

https://en.wikipedia.org/wiki/Lists_of_companies

[ZacoAttaco]

8 hours ago, Dan Castellaneta said:

this week's just the week for data breaches huh

Lately, every week is the week for data breaches...

59 minutes ago, asus killer said:

NCIX should at least have encrypting the most important files for f sake

 

the people responsible for the banckrupcy didn't care that there were servers and data in possession of a 3rd party. They should have know for f sake, inventories and all that

 

the employees and the owner couldn't care less either. Who cares right *facepalm* if i understood correctly the not paying rent is still prior to the closing, so they are all on NCIS for blame, morally and for sure legally. 

Yeah this is a big deal, the general consensus is that NCIX have been negligent and somewhat ignorant to their responsibility of holding people's data. Just because things don't work out well for you the company, doesn't mean you lose any responsibility or duty of care.

 

What's ironic is that they probably thought they could save money by just selling all stock immediately and not worrying about wiping all the drives, it seems like now, it's going to cost them even more. I'd be very surprised if there is not some legal repercussions here. At least as warning to other companies who could try and pull similar moves. This kind of behavior simply cannot be tolerated, this is not on.

 

This article was already mentioned and it's a good read as well:

https://www.eteknix.com/ncix-database-servers-sold-craigslist-without-wiped/amp/

[LAwLz]

32 minutes ago, Master Disaster said:

Sometimes people look at me like I'm not all there (even my own family) and I genuinely don't care. It's my information and I'll give it (or not give it) to whoever i damn well choose too.

I recently ordered an STD test online and in the order form it gave me the option to put in my phone number and/or email address. They were clearly labeled as optional too, without any explanation for what they were going to be used for.

I wonder how many willingly put it in for no apparent reason, just because they are used to mindlessly providing that information.

[Master Disaster]

51 minutes ago, LAwLz said:

I recently ordered an STD test online and in the order form it gave me the option to put in my phone number and/or email address. They were clearly labeled as optional too, without any explanation for what they were going to be used for.

I wonder how many willingly put it in for no apparent reason, just because they are used to mindlessly providing that information.

Yeah people have become desensitised to providing information that's wholly unnecessary.

 

My mum is in her late 50s and will think nothing of telling cold callers her entire life story. I keep trying to tell her not to give them anything they don't already know but she's from a different generation where it wasn't an issue.

[toor]

I wanna say something will happen as a result of this but having been through others, there isn't a chance in hell.   Fact is Privacy is a joke.   There STILL has been no blowback from Equifax, none from Bell's three (yes, three),  etc.  

 

Off to convince my bank yet again why they should care about summer students having unrestricted access to client accounts.  Why they SHOULD be properly authenticating clients.  And why I should continue banking with them.

[WkdPaul]

Time to cancel my CC and get a new one!

 

Damn it!

[vrod]

I can't really understand why something as a SSN or similar would be needed to purchase a PC? Nevertheless I hope the government takes this seriously. Not a customer myself, I know that the people here in Germany would throw almost anyone involved with this to jail.

[Spotty]

5 minutes ago, vrod said:

I can't really understand why something as a SSN or similar would be needed to purchase a PC? 

AFAIK that information was from the employee documents that were stored on the drives. The company would likely need this information from it's employees for tax purposes.

[vrod]

7 minutes ago, Spotty said:

AFAIK that information was from the employee documents that were stored on the drives. The company would likely need this information from it's employees for tax purposes.

I guess that makes sense in some way. Only info we need here in germany is the tax number which you can't really do much with.

[Syntaxvgm]

6 hours ago, Ryan_Vickers said:

Ever heard of social engineering or identity theft?  Maybe credit card fraud?

im talking about the people in charge of keeping your data secure. 

 

 

Also there's so many data breaches that statistically your data is likely out there, even somewhat up to date. 

[Spotty]

2 minutes ago, vrod said:

I guess that makes sense in some way. Only info we need here in germany is the tax number which you can't really do much with.

I'm not too sure, but I believe in Canada the SIN is their form of tax file number. Not sure about Germany, but often countries and institutions within use tax file number/social security number as one means of proof of identity. This means if that information falls in to the wrong hands, along with information such as names, addresses, birthdays, etc, it may open up the possibility of identity theft, and thus the possibility of taking out bank loans or credit cards in that person's name.

[vrod]

4 minutes ago, Spotty said:

I'm not too sure, but I believe in Canada the SIN is their form of tax file number. Not sure about Germany, but often countries and institutions within use tax file number/social security number as one means of proof of identity. This means if that information falls in to the wrong hands, along with information such as names, addresses, birthdays, etc, it may open up the possibility of identity theft, and thus the possibility of taking out bank loans or credit cards in that person's name.

As far as I know in the US you can do almost anything with a person's SSN (i guess most people remember the equifax hack). In germany you only use the tax number for employment or to file taxes. I don't actually know if you have a citizen-number as I immigrated from Denmark where you have a digital 2-factor citizen-id.

 

Nevertheless, sucks for everyone involved... imagine how many people which might have seen this information.

[ricsonc]

I hope he makes a video about the importance of destroying or sanitizing old office PC devices. It'll be good for the team to visit Geep and explain why their business exists. 
To help redeem Geep too for the amount of hate it got from Scrapyard Wars when they were just doing their job.

 

 

[Spotty]

2 minutes ago, ricsonc said:

I hope he makes a video about the importance of destroying or sanitizing old office PC devices. It'll be good for the team to visit Geep and explain why their business exists. 
To help redeem Geep too for the amount of hate it got from Scrapyard Wars when they were just doing their job.

I don't think data security had anything to do with why Geep didn't want to trade with Linus. Presumably they would have stock on hand that was wiped and ready for wholesale.

I think it had more to do with them only wanting to deal with re-sellers and not end-users. There's many reasons why this may be the case, such as that way they don't have to deal with warranties and customer support and whatever else that comes along with dealing retail direct to the customer.

[Ph0en1x-Fl4m3]

A bunch of unencrypted and un-wiped servers that belonged to now defuncted NCIX that held massive amounts of shoppers payment information had been sold to a lucky buyer on Craigslist.

 

It would appear bankruptcy foregoes the rules of data security and isn't a good thing for many.

 

RIP NCIX

 

https://www.zdnet.com/article/canadian-retailers-servers-storing-15-years-of-user-data-sold-on-craigslist/

[exetras]

If anyone is interested, this is the privacy act of Canada https://www.priv.gc.ca/en/privacy-topics/privacy-laws-in-canada/the-personal-information-protection-and-electronic-documents-act-pipeda/

 

It looks like the Company failed in many regards.

[Sid Freeman]

15 hours ago, Remog said:

Contact the Government (Service Canada) immediately. 

 

And probably consider legal options. Maybe a class action is something that could happen in the future? Though IANAL so YMMV

The government unfortunately won't be able to do much for you. I work for Service Canada and have dealt with personal information breaches before. They will not issue you a new SIN number. That is only done in very rare circumstances (eg. witness protection cases). Your best bet is to contact a reputable consumer credit report company and have them flag any activity that pings your credit file. Unfortunately they will not offer that service free of charge. Otherwise, if you're concerned about your credit card info having been stolen, it's always a good idea to request a new credit card every year or two. Just to be safe.

[SirRemog]

6 minutes ago, Sid Freeman said:

The government unfortunately won't be able to do much for you. I work for Service Canada and have dealt with personal information breaches before. They will not issue you a new SIN number. That is only done in very rare circumstances (eg. witness protection cases). 

 

Wow, I didn't know that. That's even scarier. The impact of this just keeps getting more severe. 

[chiller15]

This is being more widely reported now and has been picked by The Register.

 

Dead retailer's 'customer data' turns up on seized kit, unencrypted and very much for sale

Infosec bod claims he glimpsed sensitive personal info left on unwiped servers

Servers that once belonged to defunct Canadian gadget retailer NCIX turned up on the second-hand market without being wiped – and their customer data sold overseas – it is claimed.

Those boxes, allegedly, stored plaintext credit card data for approximately 260,000 people, and purchase records for 385,000 shoppers.