ncix NCIX Data breach 2018

[SirRemog]

Edit: This has grown a bit, so I am going to modify the post to add more info from the article to make it easier to parse:

 

This is an important thing for anyone who interacts with e-commerce retailers. As the web evolves sites open and close, some big, some small. When the big ones fall, what happens to your data?

 

In one very big and public case the worst thing that could happen, happened.

If you've ever bought anything on NCIX before it went defunct, worth a read.

Especially important considering Linus's history with NCIX - perhaps some of his own data is breached as part of this brokering.

 

Quote

Millions of Canadian and American consumers are now at risk thanks to a series of shady backroom deals that have resulted in records detailing 15 years of business being sold.

 

https://www.privacyfly.com/articles/ncix_breach/

 

--- 

Sort of a TL;DR:

On August 1, 2018, A Craigslist ad was discovered purporting to be selling two servers, one a Database Server from the now-defunct NCIX and another, a Database Reporting Server. The seller claimed to have acquired both from Vancouver based Able Auction’s. After some back and forth, a meeting was arranged where the data could be viewed. 

The server contained some XML documents with usernames and passwords and database references but no data. When inquired the person selling stated the had the network storage as well as NCIX’s entire server farm from the east coast which was shipped back to their Richmond warehouse several months previous. Which was only the beginning... 

As the story developed, the source of quite a bit of the information came to light: 

 

Quote

NCIX had been renting a portion of a warehouse in Richmond where all the hardware is currently located. He explained that the owner of the hardware is currently NCIX’s previous landlord, as NCIX had abandoned the hardware when they failed to pay a past due rent total of $150,000. Jeff stated that he was a former systems administrator for a Richmond based telecommunications company and was helping NCIX’s landlord recover the money he was owed in exchange for being able to copy the source code, and database to aid his development team on a project.

 

A further ~300 desktop computers from NCIX’s corporate offices and retails stores, 8 DELL PowerEdge servers, as well as at least two Supermicro server’s running StarWind iSCSI Software as backup servers. There were also 109 Hard Disks pulled from auctioned servers. 

 

Also, and this is something VERY important for those who have ever had computer repairs done at NCIX: A large pallet of 400-500 used hard drives from various manufacturers.

Quote

Jeff believed these contained a combination of functional but decommissioned hard drives used by NCIX and customer data from machine’s that had been in for repair at the time of bankruptcy.

Let that bit sink in. CUSTOMER's PERSONAL data. 

 

In another face-to-face meeting, more data was reviewed on some of the SuperMicro servers, as well as the Desktop machines used by NCIX staff. 

 

On the desktop and discovered that it was used by a former NCIX employee named Chadwick Ma. The computer contained a treasure trove of confidential data including credentials, invoices, photographs of customers ID’s, Bills, and Mr. Ma’s T4 among other files. It was safe to assume the other desktops probably contained even more information about other employees. 

 

On the SuperMicro backup server:

Quote

The first image I explored contained multiple folders of invoices from their retail stores, while the second contained of images of devices. I mounted one image belonging to Steve Wu the founder of NCIX. Inside I found data going back 13 years, financial documents, employment letters containing SIN numbers, and data from Mr. Wu’s home computer which featured personal documents and images of his family mixed in with numerous private photos of high end escorts from mainland china. I then moved forward with examining some of the SQL databases titled nciwww.MDF, payroll_Data.MDF, OrdersSql.MDF, posreports.MDF, among other names and this where things got increasingly worrisome.

6

A rundown of the types of information contained in the UNENCRYPTED storage and databases: 

• nciwww database contained a thousand records from affiliates listing plain text passwords, addresses, names, and some financial data
• Customer service inquiries including messages and contact information
• three hundred eighty-five thousand names, serial numbers with dates of purchase, addresses, company names, email addresses, phone numbers, IP addresses and unsalted MD5 hashed passwords.
• full credit card payment details in plain text for two hundred and fifty-eight thousand users between various tables.
• OrdersSql_Data, it contained many versions going back 15 years with the most recent dated in 2017. The version I opened contained three million, eight hundred forty-eight thousand records covering January 2007 through July 2010. Contents included names, company names, items purchased with serial numbers, addresses, phone numbers, and payment data.
• Financing programs
• Employee records
• Vendor pricing
• Confidential company emails 
• Source Code
• intellectual property from NCIX’s ventures into manufacturing
• Other confidential data

The final important bit about what was really happening to the data and that it was really and truely up for sale to the highest bidder:

Quote

The examination portion of the meeting began to wind-down as time flew by and Jeff jumped into brokering a deal over a cup of tea. The first offer was thirty-five thousand dollars which would allow me to purchase all the desktop’s and server hardware, excluding one group of hard drives that I had analyzed which he would allow me to copy. This struck me as strange and I inquired as to why I couldn’t purchase those drives. He explained that those drives and the data on them had already sold for around fifteen thousand dollars to a foreign buyer who was arriving in Vancouver to acquire them in December. “December” I quipped in questioning tone which, prompted Jeff to explain that even though the buyer was picking up the physical drives in December. Jeff had already copied the data from those drives to a network storage device and allowed the buyers remote access. The data on those drives contained thirteen terabytes of SQL databases and various VHD and Xen server backup files.

Please, let's not underestimate the impact here. Not only does this effect if you've purchased hardware from NCIX at any point in the last 15 years. This impacts

• if you have ever worked for NCIX as an employee or contractor.
• If you've ever had a vendor agreement with them,
• if you've ever communicated with them in any way,
• if you've received service from them in the form of repairs, especially up to the point where they declared bankruptcy.

Your confidential and personal information is blown to the wind. Depending on your relationship to them the damage goes from inconvenient to outright life changing.

 

Edited September 21, 2018 by Remog
more detail added information to help readers.

[Rune]

Huh, so maybe those boxes containing records in @LinusTech ncix video were actually up for auction....

[SirRemog]

1 minute ago, Rune said:

Huh, so maybe those boxes containing records in @LinusTech ncix video were actually up for auction....

Seems like EVERYTHING was, most of what was part of this breach seems to be data that was on hardware liquidated from their East coast data centre due to non-payment of rent, as well as desktop equipment and servers from all over NCIX's properties. 

 

It would not surprise me if there is even more stuff that was not part of this specific breach but was thrown to the wind, regardless. 

[SirRemog]

This is in many ways the single worst thing that could have possibly happened in a data breach scenario... employee INCOME TAX records are now out there - income, SSN's, home addresses... Not to mention customer transaction and CC data... This could ruin lives. 

[Cela1]

11 minutes ago, Remog said:

This is in many ways the single worst thing that could have possibly happened in a data breach scenario... employee INCOME TAX records are now out there - income, SSN's, home addresses... Not to mention customer transaction and CC data... This could ruin lives. 

Yea, and why they would store this all unencryped is beyond me. They were also storing unsalted MD5 passwords and even some plaintext passwords! Did they just decide to throw this mess of a system together themselves one weekend and decide it was good to go?

[Origami Cactus]

I read through the whole article and it is actually really bad, like really really bad. All the addresses, credit cards, phone numbers, names, secret NCIX documents etc

Im very happy i haven't bought from NCIX.

 

But @Remog maybe try to add some more info to your posts, so those who can't be bothered to read the whole article can still understand the severity of the situation.

[exetras]

https://www.privacyfly.com/articles/ncix_breach/

 

 

Quote

 

I was then led by Jeff to the NCIX server on the table and handed passwords on a piece of paper. I sat down and began to review the contents of the hard disk. The first folder I opened was documents, where I found some passwords and notes from who I assume was a system administer for NCIX. I then stumbled upon various XML files which gave me some insight into what was inside the database files. Between a couple of different XML files, I found plain text names, usernames, passwords, and addresses. I then opened SQL Server Management Studio which is tool used to manage the database files. Unfortunately, this is where my exploring grinded to a halt.

 

I then opened one of the Canadian databases titled OrdersSql_Data, it contained many versions going back 15 years with the most recent dated in 2017. The version I opened contained three million, eight hundred forty-eight thousand records covering January 2007 through July 2010. Contents included names, company names, items purchased with serial numbers, addresses, phone numbers, and payment data. I also opened a more recent version of the file and it contained the addition of email addresses. As time ticked by, I quickly looked at more databases and discovered data from a financing program, employee records and vendor pricing.

 

 

 

Welp today is not a good day to be a PC enthusiast.

 

This breach is going to hurt some more than others, I also wonder is Linus's T4 is in there?

[SirRemog]

2 minutes ago, Origami Cactus said:

I read through the whole article and it is actually really bad, like really really bad. All the addresses, credit cards, phone numbers, names, secret NCIX documents etc

Im very happy i haven't bought from NCIX.

 

But @Remog maybe try to add some more info to your posts, so those who can't be bothered to read the whole article can still understand the severity of the situation.

You're right it is a lot to process. I can work on a summary here in a bit. 

[Guest]

Oh my. I was going to make a joke, but this is... awful.

[Origami Cactus]

4 minutes ago, Remog said:

You're right it is a lot to process. I can work on a summary here in a bit. 

Yeah maybe add that quote too:

Quote

I was then led by Jeff to the NCIX server on the table and handed passwords on a piece of paper. I sat down and began to review the contents of the hard disk. The first folder I opened was documents, where I found some passwords and notes from who I assume was a system administer for NCIX. I then stumbled upon various XML files which gave me some insight into what was inside the database files. Between a couple of different XML files, I found plain text names, usernames, passwords, and addresses. I then opened SQL Server Management Studio which is tool used to manage the database files. Unfortunately, this is where my exploring grinded to a halt.

 

I then opened one of the Canadian databases titled OrdersSql_Data, it contained many versions going back 15 years with the most recent dated in 2017. The version I opened contained three million, eight hundred forty-eight thousand(3848000) records covering January 2007 through July 2010. Contents included names, company names, items purchased with serial numbers, addresses, phone numbers, and payment data. I also opened a more recent version of the file and it contained the addition of email addresses. As time ticked by, I quickly looked at more databases and discovered data from a financing program, employee records and vendor pricing.

 

[Syntaxvgm]

Yah no one actually gives a fuck about your data. 

businesses dump hardware on ebay all the time without secure erasing properly. You'd be surprised how many thing's I've gotten that either has customer data on it or a simple data recovery program can bring it up. This is why so many just sell the shit without hard drives. Better that than to trust the business selling your old hardware to properly erase discs. They may say they do but proper secure erasing or even slow formats are time consuming. 

[rcmaehl]

Was about to post this glad to see @Remog is quicker than me. Can we get some feedback from the LTT staff or Linus in regards to this?

[SirRemog]

1 minute ago, Syntaxvgm said:

This is why so many just sell the shit without hard drives

Generally, The standard practice is to destroy storage media on the hardware being sold. It's just what you do if you are halfway professional. Not everyone is, lots of people are just lazy, but that doesn't excuse it. They don't get a pass because 'it happens all the time'.

[Urielbeaupre]

I honestly hope there is a couple of European citizens with data there, with new GDPR rules this could be the only way for americans/canadians to get some justice

[ItsMitch]

8 minutes ago, Syntaxvgm said:

Yah no one actually gives a fuck about your data. 

Buut.... Google does!!!

 

[Master Disaster]

Can you really call this a breach though?

 

I mean it sucks for those innocently caught up in it for sure but nothing was actually breached, they sold it.

[Syntaxvgm]

19 minutes ago, Remog said:

Generally, The standard practice is to destroy storage media on the hardware being sold. It's just what you do if you are halfway professional. Not everyone is, lots of people are just lazy, but that doesn't excuse it. They don't get a pass because 'it happens all the time'.

well reality is many request they be put through secure erase unless legally required to destroy drives. The reason they request it is the resell value/appeal of something loaded with an OS and ready to go is so, so much higher. 
There's also some sellers will take the drives and instead of destroying them sell them using a different ebay account. I've even gotten drives with medical records from ebay. 

The smart/ethical organizations pull the drives out and hit them with a drill press themselves before even having it reach a seller, and those with legal requirements like HIPAA often use a NAID AAA certified computer recycler/reseller. 

But I just bought some computer equipment from a small company that specifically deals with medical billing as their main business and I had to remind them that the drives need removed and destroyed before I get them, soo....yea reality. 

Remember that most laws governing secure data practices only dictate punishment for a breach, not bad practices. So they risk it. Chances are low and it's not their problem. 

[rcmaehl]

Stolen from chat. Product Drop Tester Predicts Data Breach (2018, Colorized)
 

 

[aaronarson]

Yeah this is really bad.

[RollTime]

Well shiiiiiiit.... 

[rcmaehl]

Quote

I further learned that he still possessed around 300 desktop computers from NCIX’s corporate offices and retails stores, 18 DELL Poweredge servers, as well as at least two Supermicro server’s running StarWind iSCSI Software that NCIX had used to back up their hard disks. In addition, there where also the 109 hard drives which had been removed from servers before auction and one large pallet of 400-500 used hard drives from various manufactures.

Quote

The nciwww database contained a thousand records from affiliates listing plain text passwords, addresses, names, and some financial data. In another table of information, I found customer service inquiries including messages and contact information. There were also three hundred eighty-five thousand names, serial numbers with dates of purchase, addresses, company names, email addresses, phone numbers, IP addresses and unsalted MD5 hashed passwords. The database also contained FULL CREDIT CARD PAYMENT DETAILS in plain text for two hundred and fifty-eight thousand users between various tables.

 

https://vancouver.craigslist.ca/rch/sys/d/ncix-database-servers/6677293677.html

 

Anyone else want a server?

[handymanshandle]

It's a good thing the card I used to pay for the thing I bought from NCIX US no longer exists or rather is no longer active, I ended up losing it and having to cancel it

[SolidLP]

Would LOVE to see Linus' take on this, both on the WAN Show as well as a video emphasizing the importance of PCI compliance and data encryption. Maybe that clip from the auction that @rcmaehl screengrabbed could intro that video.

@Remog said it: This could ruin lives.

Just... facepalm.

[exetras]

Whoever did the PCI audits fucked up royally, they might end up being liable if it can be proven they fucked up.

[This_guy1998]

1 hour ago, rcmaehl said:

Was about to post this glad to see @Remog is quicker than me. Can we get some feedback from the LTT staff or Linus in regards to this?

@Aprime on Reddit said he already passed the info along.