ncix NCIX Data breach 2018

[_localhost]

17 hours ago, Terryv said:

Not his fault, everything was taken away from him when he went bankrupt.

 

I assume (someone correct me if I'm wrong) the blame lies with the company responsible for liquidating the assets.

Its entirely NCIXs fault. The data was criminally mismanaged, passwords and CC details in plain text.

 

What if they hadn't gone under but had a break in and theft instead. Same outcome.

[GlobalPentahedron Corp]

Chadwick is an actual person's name? lol I have been using it for comical purpose because it has Chad in it.

[GilmourD]

@LinusTech and @Slick are going to have an angry WAN Show tonight.

[Terryv]

48 minutes ago, _localhost said:

Its entirely NCIXs fault. The data was criminally mismanaged, passwords and CC details in plain text.

 

What if they hadn't gone under but had a break in and theft instead. Same outcome.

Agreed that it was mismanaged and could have easily suffered a breach, but in the end NCIX wasn't responsible for the sale of the drives containing that data.

[Spotty]

53 minutes ago, _localhost said:

Its entirely NCIXs fault. The data was criminally mismanaged, passwords and CC details in plain text.

 

What if they hadn't gone under but had a break in and theft instead. Same outcome.

Definitely poor form by NCIX for storing its data in the manner that they did.

In any other situation, such as the one you have outlined, NCIX would completely and entirely be at fault. However, in this particular instance with the circumstances surrounding it, blame also needs to be laid on the company that handled the liquidation process (as well as NCIX for mismanaging the data in the first place).

Not sure how accurate this is, so take this with a grain of salt, but I vaguely remember that the closure of NCIX was very abrupt, with basically employees showing up for work that day to face locked doors and being told they couldn't enter and they had lost their jobs. This means NCIX employees would have no way to securely wipe the data from the HDDs themselves if under the liquidation agreement they weren't allowed access to the NCIX property or systems.

Therefore, regardless of any wrongdoings of NCIX in mismanaging the information prior to this (ie. plain text), the responsibility should have transferred over to whoever was handling the liquidation process and sale of NCIX properties to ensure that the data and any personal documentation was removed and securely disposed of. Obviously in this situation this was not the case. Given the size and scope of the 'breach', I suspect the company that handled the liquidation process are going to be shitting themselves right about now.

[byAsh]

19 hours ago, exetras said:

Whoever did the PCI audits fucked up royally, they might end up being liable if it can be proven they fucked up.

It can be proved, none of it was encrypted, passwords weren't hashed, etc.

[Jon66238]

This will most likely end up on the WAN Show tonight.

[Slayerking92]

3 hours ago, vrod said:

I can't really understand why something as a SSN or similar would be needed to purchase a PC? Nevertheless I hope the government takes this seriously. Not a customer myself, I know that the people here in Germany would throw almost anyone involved with this to jail.

I don't know if NCIX offered credit, but SSN/SIN is often requested for that.

[cchhrriiss11]

Tipped off CKNW yesterday... haven't seen anything posted yet.

[BlueChinchillaEatingDorito]

2 hours ago, Sid Freeman said:

The government unfortunately won't be able to do much for you. I work for Service Canada and have dealt with personal information breaches before. They will not issue you a new SIN number. That is only done in very rare circumstances (eg. witness protection cases). Your best bet is to contact a reputable consumer credit report company and have them flag any activity that pings your credit file. Unfortunately they will not offer that service free of charge. Otherwise, if you're concerned about your credit card info having been stolen, it's always a good idea to request a new credit card every year or two. Just to be safe.

So what is the Government doing to handle customer and employee information in the case of bankruptcy? Looks like my initial comment got lost in the weeds of the flame war. But surely once NCIX filed for bankruptcy with the courts, there should be some Government oversight on what can and cannot be sold and all documents and servers containing customer and employee information should've been ceased. As someone screenshotted before, Linus toured of the auction floor and there were boxes and boxes of documents of what people would presume to potentially contain all sorts of personal information. There seems to be nothing stopping creditors and auctioneers from selling this stuff. And if there's money to be made on selling personal information (which is a great seller online), why would creditors and auctioneers do the right thing and not sell this stuff if no one is going to follow up on the whereabouts of it?

 

I agree with @Spotty on this one. It just seems like a complete failure on all parties involved, both on the retailer side, the creditor/auctioneer side, and the Government side. Had NCIX encrypted its drives, it probably would've save their butts with regards to the servers. But with paper documents, it's not like you can shred them all before filing for bankruptcy. 

 

NCIX just happened to be the juggernaut that found itself in this situation. But I can bet you a ton of small businesses do the exact same and would've ended in the exact same way. Heck, I doubt even your neighbourhood physician encrypts patient information. I was helping a physician update patient electronic records before his retirement, and well there isn't much in terms of security. 

[Jwzj303]

Is there any ability for legal action to be taken in this case? Seems to me like this really screws over customers and employees, but because NCIX doesn't actually exist anymore is there any chance for those affected to bring action against NCIX? 

[Spotty]

3 minutes ago, BlueChinchillaEatingDorito said:

So what is the Government doing to handle customer and employee information in the case of bankruptcy? Looks like my initial comment got lost in the weeds of the flame war. But surely once NCIX filed for bankruptcy with the courts, there should be some Government oversight on what can and cannot be sold and all documents and servers containing customer and employee information should've been ceased.

Not sure how it works in Canada, but here (Australia) as far as I know it's normally a private accounting agency that specialises in administration that takes over the company and liquidates the assets on behalf of the company and uses the funds from the liquidation process to pay out the secured investors what they are owed (and take a small cut for themselves for their services). While you need to file appropriate documentation to the Government (mainly for tax reasons), the administration/liquidation operation of selling off the assets is typically not a Government run operation. Things may be different in Canada, however.

 

4 minutes ago, BlueChinchillaEatingDorito said:

Had NCIX encrypted its drives, it probably would've save their butts with regards to the servers. But with paper documents, it's not like you can shred them all before filing for bankruptcy. 

And it would possibly even been illegal for them to destroy any documents before/after filing for bankruptcy/going in to administration/liquidation. Also many of the documents such as employee files are required to be kept for a period of X years for tax and other reasons.

Even if the documents/files can't be destroyed, it does not excuse the fact that they ended up in public hands - which should never have happened.

[BlueChinchillaEatingDorito]

1 minute ago, Spotty said:

Not sure how it works in Canada, but here (Australia) as far as I know it's normally a private accounting agency that specialises in administration that takes over the company and liquidates the assets on behalf of the company and uses the funds from the liquidation process to pay out the secured investors what they are owed (and take a small cut for themselves for their services). While you need to file appropriate documentation to the Government (mainly for tax reasons), the administration/liquidation operation of selling off the assets is typically not a Government run operation. Things may be different in Canada, however.

It just seems like a giant loophole. It looks like process is similar here as it would be in Australia. I'm just suggesting that the Government should oversee the handling of personal and employee records once a company goes bankrupt. Since they're filing this with the courts, all of this data should've been ceased for both tax and privacy reasons. Of course, the Government would not be involved with handling whatever stock the bankrupt company has left. But when it comes to the handling of servers and documents containing this vital information, there should've special handling put in place. As it stands right now, this stuff is just treated like any other lot in an auction. 

 

11 minutes ago, Spotty said:

Even if the documents/files can't be destroyed, it does not excuse the fact that they ended up in public hands - which should never have happened.

Someone on the creditor/auctioneer side definitely knew what they were doing. If they claim they didn't know what was on those servers, I don't believe them a bit. It's a bunch of servers from a retailer, what did you think was going to be on them? Clearly they weren't there to run Minecraft servers. 

[Jtalk4456]

I keep trying to come up with something clever to say or a meme to add, but i got nothing. This just hurts...

[Spotty]

10 minutes ago, BlueChinchillaEatingDorito said:

It just seems like a giant loophole. It looks like process is similar here as it would be in Australia. I'm just suggesting that the Government should oversee the handling of personal and employee records once a company goes bankrupt. Since they're filing this with the courts, all of this data should've been ceased for both tax and privacy reasons. Of course, the Government would not be involved with handling whatever stock the bankrupt company has left. But when it comes to the handling of servers and documents containing this vital information, there should've special handling put in place. As it stands right now, this stuff is just treated like any other lot in an auction.

Such document handling should have been handled by the firm that handled the administration process of the company. That's part of their job and what they're being paid for. They may even find themselves in trouble if for whatever reason they are requested to present those documents to the Government or in court and are unable to do so because they've 'accidentally' sold them.

 

Maybe this is just one of those situations where technology is advancing quickly and the laws and processes on such matters hasn't properly caught up?

 

Quote

Someone on the creditor/auctioneer side definitely knew what they were doing. If they claim they didn't know what was on those servers, I don't believe them a bit. It's a bunch of servers from a retailer, what did you think was going to be on them? Clearly they weren't there to run Minecraft servers. 

I'm sure they weren't expecting the office computers to allegedly have pictures of the hookers that the company owner allegedly hired

[Colonel_Gerdauf]

So I have two things to say to this:

 

1) I cannot help but feel that even this degree of laziness and incompetence in enterprise-level security is VERY commonplace. Think about this for a moment: not every business is run by tech-savvy people, and even for those who are, many are dealing with a level of abstraction where proper communication to those that may have properly taken care of it is outright impossible. This leaves CEOs and managers in a perpetually ignorant state of mind.

2) More important to this case, do we know what the latest point of time is that the database servers were logging? Because I have read that this was from servers seized after NCIX failed to pay an earlier rent. It could be 2007, it could be 2015, it could even be at the time of bankruptcy. The important part is knowing when the logs of the suspect servers stopped recording data.

[Jtalk4456]

7 minutes ago, Jtalk4456 said:

I keep trying to come up with something clever to say or a meme to add, but i got nothing. This just hurts...

ok i got over the pain, here's my response

just without the moving and dancing

[exetras]

59 minutes ago, cchhrriiss11 said:

Tipped off CKNW yesterday... haven't seen anything posted yet.

I Shared it with CBC go public.

[Spotty]

1 hour ago, Colonel_Gerdauf said:

2) More important to this case, do we know what the latest point of time is that the database servers were logging? Because I have read that this was from servers seized after NCIX failed to pay an earlier rent. It could be 2007, it could be 2015, it could even be at the time of bankruptcy. The important part is knowing when the logs of the suspect servers stopped recording data.

According to the article it was a period of 13 years, with the last entry found being dated 2017.
 

Quote

I mounted one image belonging to Steve Wu the founder of NCIX. Inside I found data going back 13 years, financial documents, employment letters containing SIN numbers, and data from Mr. Wu’s home computer

... <snip>...

All the various versions of the MDF database files had been unencrypted with the last file being dated in 2017 for most of the databases

 

Have re-read a bit more of the article (I didn't get all of the way through it at first. It's a tough read, it's like whoever wrote it was writing in their personal diary - See spoiler tag at the bottom)

 

--------

@James See you lurking the thread and guess you're writing the WAN doc. Be sure to check the two following quotes taken from the original article that detail how this person got access to these servers/HDDs (may not have been from NCIX's liquidation auction!), as well as an easy to miss comment that suggests that there may also be personal HDDs owned by customers of NCIX that were in systems put in for repair that may also be compromised. (Not sure if this has been discussed elsewhere already, but other articles I've seen on this issue have missed this info)

---------

 

I may have been incorrect in my earlier statements regarding the involvement of the company handling the Administration/liquidation process being responsible. It appears that these hard drives may have came from a different source than the liquidators auction, namely they were stored in a warehouse elsewhere and the owner of that facility claimed possession of the items when NCIX failed to respond to a past due notice. Now that facility is selling them off to recoup the losses of the money owed to them by NCIX.

 

Quote

Throughout the holiday weekend Jeff and I exchanged a series of emails, as I slowly learned more about what was being offered and his role within our deal. I crafted a story in which I was a lowly network engineer from a competing computer company that was looking to obtain the data. My thought was to paint myself as a cog in the machine to identify with Jeff. Fortunately, this fiction gained traction as Jeff confided in me that NCIX had been renting a portion of a warehouse in Richmond where all the hardware is currently located. He explained that the owner of the hardware is currently NCIX’s previous landlord, as NCIX had abandoned the hardware when they failed to pay a past due rent total of $150,000. Jeff stated that he was a former systems administrator for a Richmond based telecommunications company and was helping NCIX’s landlord recover the money he was owed in exchange for being able to copy the source code, and database to aid his development team on a project. I was unable to figure out who Jeff was currently working for, or what exactly they had been developing. Jeff proceeded to tell me that he had previously assisted the landlord in selling 500 of NCIX’s desktop computers and some enterprise hardware via Able Auctions in April of this year. Jeff assured me that while some hardware had been sold, he was careful to retain all the useful hard disks which he described as unencrypted and “cracked”.

 

 

Something else that I noticed, which was also particularly alarming to me...

Quote

In addition, there where also the 109 hard drives which had been removed from servers before auction and one large pallet of 400-500 used hard drives from various manufactures. Jeff believed these contained a combination of functional but decommissioned hard drives used by NCIX and customer data from machine’s that had been in for repair at the time of bankruptcy.

The possibility that there are customers personal hard drives from systems that were put in for repair at NCIX that this person now possesses really concerns me. Who knows what sorts of personal data may be stored on those drives from people who had their systems in for repair.

 

 

Spoiler

Seriously, what an awful, awful read. What is this, the guys personal diary?

 

Quote

August 1, 2018. A rare sunny day in rain ridden Vancouver, British Columbia. Typical of my introverted lifestyle, I found myself indulging my passion for used computer hardware by scouring Craigslist.

 

Quote

August 25th, 2018. I arrived to the agreed upon address, a warehouse in Richmond, British Columbia. I met an Asian man in his mid-thirties who identified himself as Jeff. He led me up a flight of stairs above the warehouse into a nearly empty office with cheap laminate flooring. The office contained three rooms. The first housed nothing but a child’s play mat. The second, a main room contained two cheap folding tables, some chairs and a tea stand. The third was sporting a bed, various electronics equipment and a NCIX Server propped up on a folding table in what I can only describe as feeling unsettlingly transient. I remember the thought crossing my mind that this was the kind of room someone could “disappear” in. Those thoughts were quickly dashed as Jeff’s young son came into the room, which put me at ease while also making me question why he would bring this son along on this deal.

 

Quote

Throughout the holiday weekend Jeff and I exchanged a series of emails, as I slowly learned more about what was being offered and his role within our deal.

 

Quote

Jeff showed me the 4th room in his warehouse, hidden at the back of the warehouse past the childs play area, the room with the table and chairs, and the room with the folding tables. Jeff called this room his Pleasure Room. The walls were lined with red leather and metal racks with various toys hanging, and in the middle of the room was a harness suspended from the ceiling. I had never seen the likes of such a contraption before, but it was immediately obvious what it was for. I turned to Jeff, and as I faced him he shushed me and gently placed a ball gag in to my mouth. He tightened the strap on the back of the ball gag, securing it in place and securing my fate. He lead me to the harness in the middle of the room and I followed, trusting him. After he straps me in to the leather harness and I feel the cold metal of the buckles against my skin, he grabs a whip from the rack against the wall. He approaches me and paces around me. Tied up I'm completely helpless and at his mercy... He moves behind me and whispers softly in my ear: "I'm going to fuck you harder than NCIX fucked its customers"...

Spoiler

I may have made this one up

 

Source: https://www.privacyfly.com/articles/ncix_breach/

Edited September 21, 2018 by Spotty
Annoying LMG Staff

[vanished]

5 hours ago, Syntaxvgm said:

im talking about the people in charge of keeping your data secure.

Oh, well yes, that is abundantly clear.  Doesn't mean that's how it should be though, or that that's acceptable.

[Tieox]

The shit has hit the fan, got thrown into a tornado, through a wormhole, into a universe full of shit, continued into the quantum realm of shit, before ending up as a shit doughnut on the plate of Thanos.

[This_guy1998]

The bad thing about when a company goes into Brankruptcy (in this case very quickly), the servers are usually the last thing to be flipped off because they are needed to run the business while they are closing. Also NCIX couldn't afford to pay a systems administrator to wipe (or transfer to the trustees) the system after they closed. This is a common but sad reality.

[vanished]

1 minute ago, This_guy1998 said:

The bad thing about when a company goes into Brankruptcy (in this case very quickly), the servers are usually the last thing to be flipped off because they are needed to run the business while they are closing. Also NCIX couldn't afford to pay a systems administrator to wipe (or transfer to the trustees) the system after they closed. This is a common but sad reality.

I know there are laws in place to protect and handle pensions in the case of bankruptcy.  Essentially they're forced to put aside money in a way that cannot be touched, so that the possibility of not being able to afford it cannot happen.  The same thing needs to be done for services like this.  Closing out the business responsibly and properly is not something it should be possible to skip, legally, ethically, financially, etc.

[This_guy1998]

22 minutes ago, Ryan_Vickers said:

I know there are laws in place to protect and handle pensions in the case of bankruptcy.  Essentially they're forced to put aside money in a way that cannot be touched, so that the possibility of not being able to afford it cannot happen.  The same thing needs to be done for services like this.  Closing out the business responsibly and properly is not something it should be possible to skip, legally, ethically, financially, etc.

Another problem in this case even the employees are/were owed $134,000 CAD according to their trustee https://www.bowragroup.com/bowra-netlink-computer

The law hasn't caught up to the times sadly for computer data. I work for a major big box retailer here in the US while I'm in college and I know if the data from their main system (this is one telnet based program that probably runs on a mainframe (they are moving to a GUI for parts of it, but I got a feeling that it still uses this system as a backbone) mostly used everything from customer and store to employee data) were to get leaked they would be in deep water (don't ask how they have employees login any part of system there, it's bad but they claim it's safe, probably because of some of the illiterale employees is why it's super "simple" to login). This system has been continuously used since the early 1990s, and I'm surprised it hasn't been hacked yet (considering they have been laying off people from their ISD (even though they are trying to become an online company) for the last bit. What I"ve learned from a professor is that even with low level access to any system damage can be done.

[robotprobot]

As a Cyber Security student I am cringing hardcore. 

 

This seems like a complete fuck up by both NCIX before their bankruptcy, and then by the liquidation company afterwards for not checking.