back to article Dead retailer's 'customer data' turns up on seized kit, unencrypted and very much for sale

Servers that once belonged to defunct Canadian gadget retailer NCIX turned up on the second-hand market without being wiped – and their customer data sold overseas – it is claimed. Those boxes, allegedly, stored plaintext credit card data for approximately 260,000 people, and purchase records for 385,000 shoppers. Travis …

  1. tony trolle
    Alert

    guess someone will sue the landlords

    1. A.P. Veening

      Sue the landlords

      Good luck with that, they are in Canada.

      1. Destroy All Monsters Silver badge

        Re: Sue the landlords

        America is already pissed at Canada. Let's get these B-2 started.

    2. DougS Silver badge

      Why?

      Why should the landlord be under an obligation to check what's on the drives and clean them off? The landlord almost certainly wasn't selling stuff directly, but had contracted with a third party for disposal of everything left behind, from servers to whiteboards in conference rooms, in exchange for a cut of the sale proceeds. The landlord already got screwed for back rent, should they be more screwed by adding additional burdens on them?

      1. Anonymous Coward
        Anonymous Coward

        Re: Why?

        That they subcontracted their responsibility doesn't make it any less THEIR responsibility, because as they seized stuff, it became THEIR property.

        Or else, it'd be too easy to say "Hey, we found barrels of drugs, so we subcontracted to sell them, it's all fine, right?"

        So yes, I do hope the landlords get sued, as the effective data controller at the time of the breach.

        1. DougS Silver badge

          Re: Why?

          The landlord wasn't responsible for putting the data on the servers, and never "takes possession" of said data - how would they even know what is on the drives? Comparing it with finding drugs is ridiculous - sale/possession of drugs is illegal. Sale/possession of servers is not.

          If the business left dozens of filing cabinets, and had them hauled to the dump along with worn carpet, broken chairs etc., should they be held responsible if someone goes down to the dump, opens the filing cabinets, and finds people's personal data on the paper stored in them? I guess you think they should open the filing cabinets and shred/burn every scrap of paper just in case it contains something sensitive?

          If you take the view that once the tenant is evicted that the servers as well as the data on them is now the responsibility of the landlord whether they like it or not, the tenant could deliberately bankrupt the landlord. Let's say the landlord has been threatening the tenant with eviction, and the tenant decides to get him back should that occur. The tenant includes a dead man's switch in their code which requires a daily deactivation.

          The day the landlord comes and changes the locks, the servers are still running, but this time the tenant doesn't deactivate. With the dead man's switch activated, the servers now allow anyone to download the personal information of all customers in a convenient zip file (they can make it look like a bug, that was intended to only allow the company owner to download the data) Since in your world the landlord takes responsibility for said data when they evict the tenant, the landlord is now liable for a major violation of the GDPR!

          1. DavCrav Silver badge

            @DougS: Re: Why?

            "[Lots of stuff about dumping stuff and things, all irrelevant]"

            They are selling stuff, not chucking it in the bin. Once you start selling things to people, yes you are responsible for what you sell. Amazingly.

            Computers have data on them. This much is obvious. There's a pretty good chance that a company's computers have sensitive data, including personal data of customers, suppliers, employees, etc. There's no chance you are going to get away with a 'but how was I to know that the payroll computer had payroll details on it?'

          2. Cavanuk

            Re: Why?

            "I guess you think they should open the filing cabinets and shred/burn every scrap of paper just in case it contains something sensitive?"

            Yes. If they take possession then they take ownership and responsibility.

        2. DJ Smiley

          Re: Why?

          Technically the time of breach was when the Landlords took the items from NCIX.

          So.... back to suing NCIX then?

          1. DavCrav Silver badge

            Re: Why?

            "So.... back to suing NCIX then?"

            Why? I assume the stuff was seized with a court order, probably served with no notice so there's no chance to securely wipe sensitive data. You cannot just daily wipe all your servers on the off-chance someone is going to seize them.

            1. Hooda Thunkett

              Re: Why?

              No, but you can default encrypt the hard drives. NCIX didn't even do that.

          2. Chris Evans

            Re: Why?

            Yes that was the first breach, but everyone in the chain are in breach. Ignorance of the law is no defence.

            If you buy any second hand storage, the first thing you should do is wipe all data and when I say wipe I mean so it can't be recovered. Remember in the UK possessing certain types of pornographic images is illegal and IIRC people have been convicted even when the courts accepted that they didn't know they had them.

          3. Anonymous Coward
            Anonymous Coward

            Re: So.... back to suing NCIX then?

            Well, no. The landlords assumed ownership of the equipment, and then failed to destroy the PII contained on the equipment before they resold it. They're responsible.

            I used to work for a company that purchased and resold defaulted properties. Every once in a while, we would be deployed with an acquisitions officer because the previous tenants left computer equipment behind. Before we removed any of the equipment from the location, we first inventoried it and gave it a DBAN wipe. We then signed documentation affirming that we did not view or copy the data before we wiped the equipment.

            Cumbersome? Sure, but this is what we decided needed to be done to avoid liability and prosecution. YMMV.

            1. overunder

              Re: So.... back to suing NCIX then?

              Uhhh, this might be obvious, but the landlord's names isn't on any of the EULAs that 300,000 customers were in agreement with.

              How do you not get caught selling shit like this on Craiglist? I've seen far less shady ads draw attention and even a couple ads turned in to Be On the Lookouts (BOLOs). I myself had Xbox seller arrested in front of me at a gas station.

          4. Alan Brown Silver badge

            Re: Why?

            "Technically the time of breach was when the Landlords took the items from NCIX."

            A new breach occurs each time the data is passed on or used without authorisation.

      2. DavCrav Silver badge

        Re: Why?

        "Why should the landlord be under an obligation to check what's on the drives and clean them off? The landlord almost certainly wasn't selling stuff directly, but had contracted with a third party for disposal of everything left behind, from servers to whiteboards in conference rooms, in exchange for a cut of the sale proceeds. The landlord already got screwed for back rent, should they be more screwed by adding additional burdens on them?"

        They seized the drives. They now own the drives, including any data on them. Are they legally allowed to own that data? If not, they need to remove it, sharpish. And particularly not sell it on to criminals. That makes you an accessory to identity theft, and that is a criminal offence in most jurisdictions. If there's evidence it was used to commit fraud, expect extradition requests to start flying around.

      3. Agamemnon
        Coat

        Re: Why?

        Well, under Asset Forfeiture Law *the property* is actually responsible for the crime (might be more TechDirt's bailwick...but...) Let the FBI mull it over a bit and they'll figure something out.

      4. Alan Brown Silver badge

        Re: Why?

        "Why should the landlord be under an obligation to check what's on the drives and clean them off? "

        Canadian data protection and privacy laws for starters. I'd imagine that the canucks won't be sitting still on this.

  2. Joe Montana

    Full disk encryption?

    These machines were servers, if you enable disk encryption then you have to have a way to get the decryption key onto the box...

    Either you store it on the box, which defeats the purpose of encryption... Or you have to enter it in order to boot the box, which makes maintenance and recovering from failures (eg power) more difficult.

    Plus, encryption incurs a performance hit, which usually isnt wanted on a production server, and will increase costs.

    On the other hand, during normal operation only trusted IT staff will have physical access to these hosts, and those staff usually have administrative privileges anyway so the risk of them taking data directly from the drives is very low.

    The problem here is how the assets were disposed of when the company was liquidated.

    Also this happens all the time, its just that in most cases those acquiring the hardware either don't care about the data (ie they just wipe and reinstall the drives for their own use), or they do care about the data and don't want to draw attention to their nefarious activities with it.

    1. Danny 14 Silver badge

      Re: Full disk encryption?

      thats the problem. For some people encryption is aimed at people having the physical drives rather than server and physical drives. Often people just use TPM which would do nothing in a case like this.

      That also being said, just make sure you buy the admin desktop machine too. wonder if that had the keys in a file named "dont lose this file.txt" living on the desktop (TPM encrypted to the machine of course....)

    2. Anonymous Coward
      Anonymous Coward

      Re: Full disk encryption?

      "Either you store it on the box, which defeats the purpose of encryption... Or you have to enter it in order to boot the box, which makes maintenance and recovering from failures (eg power) more difficult."

      Or you store it on a separate HSM on the network, which can be used when the system boots to decrypt the needed secrets remotely.

      "Plus, encryption incurs a performance hit, which usually isnt wanted on a production server, and will increase costs."

      Not with today's hardware that always include AES instructions, the performance hit is negligible (or in other words, if you depended on that 5% performance gap, then your boxes all went down when you had to apply Spectre/Meltdown/Foreshadow mitigations).

    3. JHGibson

      Re: Full disk encryption?

      I encrypt my laptop. Encrypting a server or even a home desktop is tricky. How easy is it to recover individual files from an encrypted backup? If your backups are not encrypted, how do you protect your backup media?

      How do you make absolutely sure you do not forget the encryption key, store it in the company safe?

      This is one reason why I do not want my primary credit card stored on commercial servers.

  3. DougMac

    How's this different than normal?

    By the time a company is liquidated, anybody left there gives zero ***cks to what happens to anything left over, data, sensitive info, etc?

    I've cleaned out offices with tax forms, W-2's, etc. all left behind. This is normal.

    I've also bought 2nd hand filers from liquidated companies with full data still left on them. Source code, CAD drawings, records, etc. etc. Bought network gear with full configs (SNMP communities are always fun) still left on them, etc.

    Not many liquidators would have the means, knowledge or time to make sure things are securely wiped, and if it has come down to the end, its doubtful anybody still left at a company does either. They are the cleanup crew, get it out, get it gone. who cares.

    1. Peter Gathercole Silver badge

      Re: How's this different than normal?

      Normally, kit like this is sold by the liquidator or administrator to settle debts, pay creditors (after lining their own pockets, of course, as preferred creditors).

      Put the onus on them to clean the data from any kit that it sold on, and let them pass that obligation on to any disposals company that is engaged to clear a site. Make it a penalty on the liquidator to allow customer data to leak from a company they've closed down.

      Will probably mean more perfectly usable kit being destroyed rather than recycled, and possibly make the IT equipment more of a liability than an asset, but perfectly doable.

      1. Anonymous Coward
        Anonymous Coward

        Re: How's this different than normal?

        "Normally, kit like this is sold by the liquidator or administrator to settle debts, pay creditors (after lining their own pockets, of course, as preferred creditors)."

        And this is where the real issue lies.

        The equipment has been seized in lieu of debt.

        The creditors want to recover as much of that debt as possible, so sell equipment to the highest bidder. The highest bidder, in-turn, wants to recover as much money as possible with minimal effort. Adding responsibility for the data to the process adds additional costs no one wants.

        I would argue the only acceptable solution is encrypting all data at rest, so that in the event of this type of thing happening, everyone is covered, but as a non-compliant company can't pay any fines once they default, it's pointless, so we're back to arguing over how to make someone else responsible for the data when they are unlikely to have any knowledge of what they possess until they are non-compliant. Or just smash all disks and accept the (significant) additional cost given the parties involved...

        1. Doctor Syntax Silver badge

          Re: How's this different than normal?

          "Adding responsibility for the data to the process adds additional costs no one wants."

          Wanted or not the responsibility exists.

        2. Alan Brown Silver badge

          Re: How's this different than normal?

          "Or just smash all disks and accept the (significant) additional cost given the parties involved..."

          Disks are cheap. The data may have "value" but if trading it is illegal then it's valueless.

      2. Doctor Syntax Silver badge

        Re: How's this different than normal?

        "Make it a penalty on the liquidator to allow customer data to leak from a company they've closed down."

        It would have been under DPA, it is now with knobs on under GDPR.

    2. Doctor Syntax Silver badge

      Re: How's this different than normal?

      "Not many liquidators would have the means, knowledge or time to make sure things are securely wiped, and if it has come down to the end, its doubtful anybody still left at a company does either."

      Once one of them has been hit with a big GDPR fine they'll all make the time and acquire the knowledge. Either that or send the disk for secure destruction.

    3. Ken Hagan Gold badge

      Re: How's this different than normal?

      "By the time a company is liquidated, anybody left there gives zero ***cks to what happens to anything left over, data, sensitive info, etc?"

      That would be the wrong number of ***cks to give if it turns out that you, personally, are in the frame for a criminal conviction under data protection law. This liquidated company you speak of ... it has directors, right?

  4. Anonymous Coward
    Anonymous Coward

    QED

    Yet again, disposal is the problem.

    Best just have the disks crunched. Maybe that should now become a default process for any administrators handling liquidation (also gives you someone to sue later).

    Heck, I must see just how much one of these disk destructors costs. I may just have business for it myself (and, let's face it, it's fun to watch :) ).

    1. HighTension

      Re: QED

      Just get a 10 tonne or higher hydraulic press from a DIY/Car repair retailer. Much cheaper and essentially the same thing. Manual 10 tonne presses are probably $300-400.

      They will easily crack the cases of any drive, bend the platters to hell and strip the hub from the middle. With glass platters you get a satisfying crunch and tinkle as they shatter!

      1. kain preacher Silver badge

        Re: QED

        They have shredders for that.

    2. phuzz Silver badge
      Happy

      Re: QED

      Disk shredders are so much fun :)

      1. Fatman Silver badge

        Re: QED

        <quote>Disk shredders are so much fun :)</quote>

        Enjoy:

        https://www.youtube.com/watch?v=sQYPCPB1g3o

        1. John Brown (no body) Silver badge

          Re: QED

          https://www.youtube.com/watch?v=sQYPCPB1g3o

          Yep, definitely fun, but I'm surprised they didn't have a minimum wage monkey taking the drives out of the caddies and flog the results on Ebay.

      2. kain preacher Silver badge

        Re: QED

        Look like some hates disk shredders

        1. 's water music Silver badge
          Coat

          Re: QED

          Look like some hates disk shredders

          where do you think these comments are stored?

    3. HighTension

      Re: QED

      Someone seems to be randomly downvoting completely innocuous posts here. Can't fathom what they are getting out of it...

    4. katrinab Silver badge

      Re: QED

      There are loads of companies that do this, I’ve seen one that quotes £1 per drive, and they will come out to your place with a shredder inside a van and shred the drive in front of you. Presumably there is a minimum order, so if you just wanted one drive destroyed it would cost more than £1.

  5. Anonymous C0ward

    The liquidators who sold on the gear are the ones who should be sued. It is absolutely foreseeable that seized servers would contain confidential data. It's professional negligence.

    1. Wellyboot Silver badge

      >>>absolutely foreseeable<<< very true.

      Had this been in Europe it would be a massive breach of GDPR and all the sellers from landlord onwards would be in breach. The original company could claim 'force majeure' as an excuse because the equipment was seized, presumably at zero notice.

      In the UK, court appointed baliffs do a lot of these seizures, I wonder how many are aware of their new responsibilities?

      1. taxythingy

        > Had this been in Europe it would be a massive breach of GDPR and all the sellers from landlord onwards would be in breach. The original company could claim 'force majeure' as an excuse because the equipment was seized, presumably at zero notice.

        Of course, it is also **absolutely forseeable** that the company's servers might not be completely secure, given the regular data breaches, so slightly more security surrounding those databases might be considered a good thing.

      2. Mark 85 Silver badge

        The original company could claim 'force majeure' as an excuse because the equipment was seized, presumably at zero notice.

        I'm sure they had notice.. late rent payment mails, calls, etc. Warnings from lawyers and possibly even a court involved for bankruptcy and seizing the property. To say they no notice would be a stretch.

  6. 0laf Silver badge
    Mushroom

    "Since NCIX is nothing but a corpse now, those whose privacy has been breached – any customer or employee – have little chance for any redress, we fear."

    When the landlords seized the servers they became the custodians of the the data they contained and responsible for it. This is Canada which has a data protection adequacy agreement with the EU so we might find the Canadian authorities take this a lot more seriously than you think.

    1. Missing Semicolon Silver badge

      What about "Jeff"?

      On acquiring the drives, he became the new owner of the data. He actively sold data to which he had no consent attached (duh!) so he himself breached any Canadian DP laws. Surely, as the listing provides contact info, the Police should be round?

      1. Anonymous Coward
        Anonymous Coward

        Re: What about "Jeff"?

        Jeff was worse - the landlords and their agents could justifiably claim simple negligence for their oversight, but Jeff has knowingly instigated further breaches of that data by specifically selling it on to people whose business activities he "didn't want to know about". If that data is later found to be involved perpetrating any criminal activity he could find himself being charged as an accessory to the crime. Assuming it can be traced back to him, of course.

    2. Anonymous Coward
      Anonymous Coward

      > so we might find the Canadian authorities take this a lot more seriously than you think.

      No they didn't

      I live here and have been using NCIX for 3 different employers for the last 10 years.

      The security company that found the servers for sale reported it to the RCMP (mounties) they told him to call the Canadian Anti Fraud Center who told him they don't investigate they just record statistics of breaches and to call the RCMP.

      .. they just announced they will investigate after it made the news in the US.

      1. Alan Brown Silver badge

        "The security company that found the servers for sale reported it to the RCMP (mounties) they told him to call the Canadian Anti Fraud Center who told him they don't investigate they just record statistics of breaches and to call the RCMP."

        Very much a case of calling the wrong people - however both groups are very likely to have their arses hauled over the coals today by the Privacy Commissioner of Canada (OPC) due to this very public fuck up.

        Canadians do at least genuinely learn from such mistakes and I'd expect they should have procedures to handle such calls _properly_ by the end of the week.

  7. WonkoTheSane
    Facepalm

    Wait for it...

    I expect ex "Face of NCIX" Linus Sebastian to talk about this on his youtube channel Linus Tech Tips over the weekend.

    1. WonkoTheSane
      Happy

      Re: Wait for it...

      Called it!

  8. Ian Emery Silver badge

    I once bought some s/h computers from a famous college in London via a "refurbishing" company; the HDDs were chock full of student data.

    (The drives were 95% full - the performance slow down is probably why the idiots sold them off).

    As far as I could tell, "refurbishing" meant using a damp cloth to wipe the dust off of the cases; as they hadnt even done a basic reformat of the HDDs.

    If I had been Dr Evil, I could have re-cooped my £40 per box many times over.

    1. Alan Brown Silver badge

      "I once bought some s/h computers from a famous college in London via a "refurbishing" company; the HDDs were chock full of student data."

      This is why we don't let things out of our department without wiping them first. "certificates of erasure" or "data destruction" aren't worth the paper they're printed on and when the chickens come home to roost, they don't land on the recycler's doorstep.

  9. Anonymous Coward
    Anonymous Coward

    Until such a time as

    Company Directors are personally held liable... Nothing will ever change.

    Firms may fold, but if the executives are still alive, why are they immune?

    1. Killfalcon Silver badge

      Re: Until such a time as

      Same reason as always: without limited liability, starting a company is a massive gamble. I mean, it's already pretty risky, but who's going to put their time and money into a business if they can go to jail over their employees screwing up?

      A friend of mine is a lawyer who works with startups, and the one thing that keeps coming up is that they've got 2-5 people involved who need to know everything. They need to know data security, sure, most of us here do that, but they need to know international shipping, hiring practices, firing practices, legal standing of unions, supplier liabilities, tax law, health insurance (stateside), health and safety, and a dozen other things, any one of which could turn out to be the reason the company fails. Ending limited liability ends entrepreneurism, and society as a whole would like there to be entrepreneurs doing things.

      That's not to say there isn't room for reform, and that the protections shouldn't scale so that the heads of larger companies take progressively more risk, and career fraudsters should be shut down before their third or fourth bankruptcy... but there's a valid purpose at the core of it.

      1. Doctor Syntax Silver badge

        Re: Until such a time as

        "I mean, it's already pretty risky, but who's going to put their time and money into a business if they can go to jail over their employees screwing up?"

        The directors remain responsible for the company being run legally. Limited liability protects against debts. It's just that TPTB are reluctant to enforce it, presumably for the reasons you suggest. They need to use their powers more often if the actions are carried out in bad faith. At present the maximum extent seems to be to disqualify a director.

      2. Anonymous Coward
        Anonymous Coward

        Re: Until such a time as

        ”Same reason as always: without limited liability, starting a company is a massive gamble. I mean, it's already pretty risky, but who's going to put their time and money into a business if they can go to jail over their employees screwing up?”

        Sure, but the risk is also being borne by those who entrusted their data to you, who not only didn’t expect it, but who probably didn’t sign up for it in the contract. Which seems to me to be unacceptable.

    2. Doctor Syntax Silver badge

      Re: Until such a time as

      "Company Directors are personally held liable"

      Yet another of these things we have to repeat from time to time. GDPR and its UK embodiment in the new DPA has just such provisions.

    3. a_yank_lurker Silver badge

      Re: Until such a time as

      @AC - The other alternative is make the potential fines sufficient massive that they could make a significant impact on the p/l statement. GDPR does this as up to 4% of a companies gross world wide revenue would get noticed as it could either wipe an annual profit or significantly lower it. Both would get investors attention who just might add to the misery by suing for 'failure of fiduciary trust'.

      1. Anonymous Coward
        Anonymous Coward

        Re: Until such a time as

        "GDPR does this as up to 4% of a companies gross world wide revenue would get noticed as it could either wipe an annual profit or significantly lower it"

        Is this responsibility - and potential consequence for failure - inherited by the receiver / liquidator who takes control of a firm and/or any assets? [If not, why not? It doesn't stop being PII, after all]

    4. Alan Brown Silver badge

      Re: Until such a time as

      "Until such a time as Company Directors are personally held liable..."

      In this case - they are.

  10. Anonymous Coward
    Anonymous Coward

    T'was always thus

    Decades ago, I purchased some used filing cabinets for the office from a liquidator and found them stuffed with business records, including financial data. At least we had a contract with Iron Mountain.

  11. The Oncoming Scorn Silver badge
    Holmes

    To Add Insult To Injury

    A few of my colleagues used them in the past, I don't think I ever did due to being only here in the last 10 years.

    One of my colleagues has just been shown in one of the screen grabs posted on-line - To say he's not a happy bunny (ever) is a understatement at the current moment.

  12. Anonymous Coward
    Anonymous Coward

    RCMP does what?

    They are (or were) an NCIX customer. Hence an investigation. (You can google rcmp & NCIX for the link).

    So they are just looking after their own interests.

    Disclosure of PII is not against the law here in upper Canuckistan. But using PII fraudulently is. Or used to be. You have to steal $millions before they will pay any attention.

    1. Alan Brown Silver badge

      Re: RCMP does what?

      "Disclosure of PII is not against the law here in upper Canuckistan."

      Yes and no. Thanks to the GDPR equivalency treaties Upper Canuckistan has signed with the EU, if any european residents/citizens are included in that lot then they are and for any sample greater than 1 the chances are fairly good there will be a few.

  13. Mattknz1

    secure disposal.

    At the request of a customer I employed secure disposal services of a prominent company here in NZ, paying quite a pretty price. Shipped off a mid-size SAN and promptly received a call asking if they could 'recycle' and not dispose of said device.

    I received a 'certificate of disposal' however i'm moderately sure they double charged this device into the hands of a 3rd party.

    1. katrinab Silver badge

      Re: secure disposal.

      There are companies that will bring a van with shredder to your place and shred it in front of you. That’s the only thing I would trust.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019