Dead retailer's 'customer data' turns up on seized kit, unencrypted and very much for sale

www.theregister.co.uk | 9/20/2018 | Staff
Click For Photo: https://regmedia.co.uk/2018/09/21/servers.jpg




Servers that once belonged to defunct Canadian gadget retailer NCIX turned up on the second-hand market without being wiped – and their customer data sold overseas – is it claimed.

Those boxes, allegedly, stored plaintext credit card data for approximately 260,000 people, and purchase records for 385,000 shoppers.

Travis - Doering - Infosec - Shop - Privacy

Travis Doering, of infosec shop Privacy Fly, claimed he discovered the security cockup in the simplest way possible: he spotted the machines advertised on Craigslist, answered the ad, and inspected what was on offer.

According to the security consultant in a writeup this week, the hardware haul turned out to be 18 Dell Poweredge boxes from NCIX's server farm, plus storage kit, and 300 desktop machines. They were seized by the retailer's landlords after NCIX failed to pay CA$150,000 in rent, and sold off via auction to another person, who then apparently hawked the equipment to interested buyers via Craigslist last month.

Chain - Database - Files - Machines - Aspects

The chain's database files, dating back to 2007, were unencrypted on the machines, and covered all aspects of the business, according to Doering:

The nciwww database contained a thousand records from affiliates listing plain text passwords, addresses, names, and some financial data. In another table of information, I found customer service inquiries including messages and contact information. There were also three...
(Excerpt) Read more at: www.theregister.co.uk
Wake Up To Breaking News!
Tagged:
Sign In or Register to comment.

Welcome to Long Room!

Where The World Finds Its News!