What happens to sensitive customer data when a large company that has collected it over many years suddenly goes bust?
It’s easy to assume that databases are wiped by diligent IT staff just before they turn off the lights and close the door for the last time. At the very least that data should have been encrypted.
It has now emerged that something entirely different and more troubling took place when Canadian computer and electronics retailer Netlink Computer Inc (NCIX) declared bankruptcy in December 2017.
According to Privacy Fly researcher Travis Doering, the company simply abandoned much of its equipment in a hurry, which he discovered when it was offered for sale on Craigslist this August.
After arranging a meeting with the seller to examine the hardware, it turned out to comprise 20 Dell PowerEdge and Supermicro servers, 300 desktop PCs, 109 hard drives, and another 400-500 drives that had been inside NCIX desktops or sent to it for repair.
Now for the disturbing bit – it soon became clear that the valuable part of the deal was not the drives themselves but what was on them – 13 terabytes of data all told, including 385,000 database records containing names, email addresses, phone numbers and account passwords, 258,000 of which included full credit card payment details.
A separate Canadian database contained 3.8 million customer records gathered by NCIX between January 2007 and July 2010.
Doering even turned up numerous files belonging to NCIX’s founder Steve Wu, including personal documents and images of his family, plus large numbers of company emails, and intellectual property related to manufacturing.
Somehow the seller had got hold of passwords to access the databases while significant amounts of the data were not encrypted in the first place. The price for the data on its own: $15,000 (£11,500).
How did such a data catastrophe come to pass?
Doering’s guess is that NCIX’s landlord was owned money and quickly sold the dead company’s equipment to an auction house, where it was picked up cheaply by the contact who had offered it to him.
Given the calculated way the data was marketed for its value, it seems likely the equipment was targeted precisely because it might contain something that could be sold. Writes Doering:
This entire scenario could have been avoided by simply implementing full disk encryption within their organization or destroying the drives as their bankruptcy loomed.
That’s problem number one – the company doesn’t appear to have been storing its databases securely. Problem number two is that nobody seems to be paying any attention to what happens to customer data when companies die.
The NCIX incident is a data breach by the back door, which would have gone unrecorded had a curious researcher not answered a Craigslist ad.
Worse than that, this is a type of data breach in which the victims will almost certainly never receive a notification email telling them what’s happened because the only record of their involvement is already in the hands of criminals.
For Canadian or US customers of NCIX during the last 15 years, they should assume any personal data or credit card information logged with them is now potentially in the hands of cybercriminals and raise any suspicious transactions with their bank.