Personal data belonging to both former employees and customers of computer retailer NCIX has ended up on Craigslist, alerting cybersecurity experts.
NCIX went insolvent last December, and its inventory was auctioned off. Able Auctions, tasked with moving the inventory, said that it believed all of NCIX’s data had been wiped from its systems prior to moving.
A cybersecurity expert, Travis Doering, found otherwise.
Doering, president of boutique cybersecurity firm Privacy Fly in Vancouver, told Global News that he was browsing Craigslist last month when he saw NCIX’s database hardware up for sale.
Out of curiosity, he emailed the seller to inquire whether the data inside was still available. After two meetings with the seller, Doering was surprised to find that the data was intact.
“In the one database alone, I found 3.8 million Canadian details. It contained details like items purchased, names, addresses, places of work, email addresses,” he explained.
It was not just consumer information that was on the server; former NCIX employees have confirmed that their data was also included.
“I was super shocked. I expected more from NCIX as a company to at least delete the files or at least encrypt it in some way,” Helena Phan, who worked for NCIX in 2015, told Global News.
“That’s sensitive information. There are people’s credit card numbers, debit card numbers, their home numbers and their addresses are on there. It’s just ridiculous.”
Former NCIX manager Kevin Ma has also verified that his data was left in the hardware. Company founder Steve Wu was unavailable to provide a comment on the security situation.
RCMP is now in possession of the hardware and has launched an investigation into the matter.
