RCMP and privacy commissioner probe alleged NCIX data breach
Questions raised after ads appear offering old computer database equipment for sale
The RCMP and Office of the Information and Privacy Commissioner of British Columbia are investigating allegations of a possible data breach involving the bankrupt computer retailer NCIX.
Authorities are investigating a claim that NCIX's database servers have been advertised for sale online with all of the information still intact.
In doing so, it may have compromised the security of countless customers.
According to a statement from Richmond RCMP, the case was opened Thursday and police have seized the servers.
Yesterday afternoon we opened an investigation into data storage devices being sold online allegedly containing customer data from a defunct, but well-known computer retailer. We have since recovered the storage devices. Our investigation is active and on-going.
—@RichmondRCMP
The investigations began after a feature article appeared on a cybersecurity website called PrivacyFly this week..
The piece detailed how the author arranged to meet a man who was selling computer hardware he advertised as being from the now defunct company NCIX.
NCIX computers for sale
The author Travis Doering is a systems analyst who says he noticed a Craigslist ad listing NCIX computers for sale.
Doering says he arranged to meet the seller, a man who called himself Jeff, in a warehouse in Richmond. He says he was stunned when the man offered the information from offline backup servers on millions of transactions.
"Every record for more than 10 years was there."
He says he saw personal data of customers, including addresses, phone numbers.and financial information.
"Credit card information was there in plain text with numbers, CVVs [Card Verification Value] and expiry dates," Doering said.
He also saw personal income tax information about employees such as T4 statements. He showed some of the statements to CBC News.
CBC has reached out to former NCIX employees but has not heard back.
Computer experts say they don't understand how this information would not have been encrypted.
Technical expert Graham Williams says he was shocked at reports of the breach and worries how much information may be out there.
"Looking at other breaches of Canadian retailers, we haven't seen this scope of information of user data, this amount of unencrypted data."
NCIX was a British Columbia-based computer seller that filed bankruptcy papers on Dec. 1, 2017.
The retailer closed its outlets in both Vancouver and Richmond.
On Friday, the office of the privacy commissioner refused to reveal the scope of the investigation.
WIth files from Belle Puri