RCMP and privacy commissioner probe alleged NCIX data breach

B.C.'s privacy commissioner is investigating an alleged privacy breach involving the bankrupt computer retailer NCIX.

Questions raised after ads appear offering old computer database equipment for sale

Joan Marshall CBC Posted: Sep 21, 2018 9:46 PM EDT | Last Updated: September 22, 2018

a hand hovers over a computer keyboard — Authorities are investigating a claim that NCIX's database servers have been advertised online with all of the information still intact. (Getty Images)

The RCMPandOffice of the Information and PrivacyCommissioner of British Columbia are investigating allegations of a possible data breach involvingthe bankrupt computer retailerNCIX.

Authorities are investigating a claim thatNCIX's database servers have been advertised for sale online with all of the information still intact.

In doing so, it may have compromised the security of countless customers.

According to a statement from Richmond RCMP, the case was opened Thursday and police have seized the servers.

Yesterday afternoon we opened an investigation into data storage devices being sold online allegedly containing customer data from a defunct, but well-known computer retailer. We have since recovered the storage devices. Our investigation is active and on-going.
—@RichmondRCMP

The investigations began aftera feature article appeared on a cybersecurity website calledPrivacyFlythis week..

The piece detailed how the author arranged to meet a man who was selling computer hardware he advertised as being from the now defunct companyNCIX.

NCIXcomputers for sale

The author Travis Doering is a systems analyst who says he noticed a Craigslistad listing NCIX computers for sale.

Doering says he arranged to meet the seller, a man who called himself Jeff,in a warehouse in Richmond.He says he was stunned when the man offered the information from offline backup servers on millions of transactions.

"Every record for more than 10 years was there."

Travis Doering examines documents of private information, which he says he copied off NCIX computer servers that are being sold. (CBC/Tristan LeRudulier)

He says he saw personal data of customers, includingaddresses,phone numbers.and financial information.

"Credit card information was there in plain text with numbers, CVVs[Card Verification Value]and expirydates," Doering said.

He also saw personal income tax information about employees such as T4 statements. Heshowed some of the statements to CBCNews.

CBChasreached out to former NCIX employees but hasnot heard back.

Computer experts say they don'tunderstand how this information would not have been encrypted.

Graham Wiliams says he is surprised by the potential size of the alleged privacy breach. (CBC/Tristan LeRudulier)

Technical expert Graham Williamssays hewas shocked at reports of thebreach and worries how much information may be out there.

"Looking at other breaches of Canadian retailers, we haven't seen this scope ofinformation of user data, this amount of unencrypted data."

NCIXwas a British Columbia-based computer seller thatfiled bankruptcy papers on Dec.1, 2017.

The retailer closedits outlets in both Vancouver and Richmond.

On Friday, the office of theprivacy commissioner refusedto reveal the scope of the investigation.

WIth files from Belle Puri

CBC's Journalistic Standards and Practices|About CBC News

Corrections and clarifications|Submit a news tip|

RCMP and privacy commissioner probe alleged NCIX data breach

Questions raised after ads appear offering old computer database equipment for sale

NCIXcomputers for sale

Related Stories