NCIX Data Breach

NCIX Data Breach

One of the biggest news items around recently has been the NCIX Breach. I was notified of it through a colleague prior to the media finding out about it through the following blog –> ( The blog details events that took place where a person uncovered hard drives left by the now bankrupt NCIX computer retailer. The warehouse housing these drives, and left over computers that belonged to NCIX were being sold off by the warehouse landlord. The information based off privacyfly’s blog seems to point towards the landlord illegally selling the data on the drives to recuperate lost rent. The big question here is how NCIX, or the team taking care of their assets after bankruptcy could allow this information to be sold. And, this also goes to show how NCIX has very weak security procedues in place to safeguard their most vital data (customer and employee data).

Available Data

What seems to be astounding is that more than just customer data was stored in plain text. But, much of their employee data was also stored in plain text, as well as system and account passwords stored in simple spreadsheets. For example, they had Canadian Tax T4 slips related to their employee’s taxes and salaries stored on these hard drives.

Basically, all of their employee’s salaries, taxes, benefits, passwords, social insurance number, addresses etc.. was all stored on these drives un-encrypted. And, some of the news mentions that this data has been sold out to foreign buyers in Russia, China and various other buyers in many other countries. That means all of their employees now have enough information out there for someone to commit identity fraud. Realistically, having all of their tax information for the last 15 years, and a users SIN is enough to impersonate them at banks, and government agencies. This breach is starting to look just as bad as the Equifax breach that occurred not to long ago.

No Security Controls

I was quite shocked to realize that none of the data on the database or hard drives was ever encrypted or stored in a secure manner. Worst of all, they were storing and recording credit card data in plain text. There is a simple basic understanding that credit card and customer data should be encrypted at rest and during transmission.

There was a discussion earlier I had where someone mentioned that NCIX started using MSSQL 15 years ago,. At that time encryption was not easily supported on SQL Servers. Therefore, it could be that NCIX never used encryption for that matter. But, that doesn’t mean that at some point in time when encryption was finally available for MSSQL, that they should’ve looked into implementing it. Personally, I don’t believe they ever hired anyone to manage or assess their security, and it seems to have been left up to their system admins. I wonder if they ever had external security testing done on their websites and internal audits ?

How can I protect myself ?

At this point in time, if you know you made a purchase in the last 15 years at NCIX. Then, you should consider that your credit card information has now been compromised. And, the best re-course is to contact your credit card company to give you a new CC number. In the case of any NCIX employee, best bets are to contact the CRA to let them know that their tax information is probably exposed. These ex employees will also require a new SIN, which also should be considered as being compromised. Contacting banks and credit bureau’s would be a great idea too. That way a freeze or warning can be put in place for any credit checks done. The reason for this is that someone may try to commit identity theft with the now available data.

What to learn from this ?

The large answer here is that anytime a storage device needs to be discarded. It needs to be properly wiped, and better yet should be shredded. There are many services out there that offer special methods to discard hard drives so that no data can be viewed. I’ve personally seen diamond blade cutters that shred through mechanical drives into thousands of pieces. The chances of someone recovering data from them would be nil. Companies and general public users should also properly wipe drives.

There are several tools out there such as “Eraser” that will write random data to the hard drives. This means that old data is over written with random new data that has no meaning or use. This method ensures that if someone gets your drive, that the data is garbage to them. The best method of course is the encrypt the data on the drive at all times. That way if the hard drive is stolen or accidentally given to another party. The data cannot be read or used in any way. And, now your personal information is safe from being exploited or sold out to people.

Treat data as your crown jewels!

The Aftermath

It will be interesting to see if any legal action is taken against the NCIX CEO. Or, the company helping with the bankruptcy process. Or, even the landlord that handled the machines after they were left alone. From the news lately, it seems that the RCMP and privacy commissioner have now gotten involved in this issue. Maybe this will finally lead to stronger penalties for organisations that do not adequately protect customer data. Until the Canadian government imposes stricter laws much like the US is starting to do so. We will see more and more breaches in Canada, till the liability is pushed not just on the companies. But, is also imposed on members at the executive levels within each business and organization throughout Canada.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.