Unencrypted NCIX Servers Sold on Craigslist, Complete with Customer Data

Servers that once belonged to now-defunct Canadian PC hardware retailer NCIX containing millions of unencrypted confidential records of employees, customers, and business partners turned up on Craigslist without being wiped.

Travis Doering of Privacy Fly details his experience inquiring about NCIX’s servers that were purchased at one of the company’s auctions earlier this year, then posted for sale on the online classifieds website Craigslist.

According to Doering, during correspondence with the seller, he learned that the data on the three NCIX servers — which were listed at a cost of $1,500 CAD each — had not been wiped of their data.

The servers — which date back to 2007 — were completely unencrypted and contained information like personal data such as credentials, invoices, photographs of customers IDs, bills, customer names, addresses, email addresses, phone numbers, IP addresses, and unsalted MD5 hashed passwords, just to name a few:

The nciwww database contained a thousand records from affiliates listing plain text passwords, addresses, names, and some financial data. In another table of information, I found customer service inquiries including messages and contact information. There were also three hundred eighty-five thousand names, serial numbers with dates of purchase, addresses, company names, email addresses, phone numbers, IP addresses and unsalted MD5 hashed passwords. The database also contained full credit card payment details in plain text for two hundred and fifty-eight thousand users between various tables.

After several meetings with the seller, Doering learned that he had access to more NCIX servers and workstations that he had not initially advertised on Craigslist.

“In addition, there were also the 109 hard drives which had been removed from servers before auction and one large pallet of 400-500 used hard drives from various manufacturers,” writes Doering. “I remember the feeling of dread as it came over me when I imagined what could have been exposed in those 500 desktops previously sold unencrypted and unwiped via Able Auctions.”

According to the report, the seller claimed to have access to the hardware after NCIX failed to pay a $150,000 CAD bill for warehouse storage space after it filed for bankruptcy and closed its stores’ doors. None of this information was able to be confirmed.