NCIX, a defunct Richmond-based hardware and software retailer that operated a store on Kingsway in Burnaby, is accused of compromising the security of former employees and the company’s customers.
Richmond RCMP opened an investigation on Thursday.
"Yesterday afternoon we opened an investigation into data storage devices being sold online allegedly containing customer data from a defunct, but well-known computer retailer. We have since recovered the storage devices. Our investigation is active and on-going," according to a Richmond RCMP tweet.
Dennis Hwang, spokesperson for Richmond RCMP, told the Richmond News the data storage devices are "believed to have come originated from their (NCIX) bankruptcy auction."
NCIX filed for bankruptcy late last year, closing more than a dozen stores across Canada after two decades of operations, and had two auctions to sell its remaining assets.
According to an article posted Tuesday by PrivacyFly, identified as a boutique cyber security firm based in Vancouver, NCIX sold its database servers in auctions without wiping the data. As a result, the personal data of customers and former employees are now being sold online.
Author Travis Doering wrote that he saw an ad titled, “NCIX Database Servers - $1500 (RichmondBC)” on Craigslist in August and the seller, called Jeff, said he possesses NCIX’s “entire server farm” including the data, which had not been erased.
“I further learned that he still possessed around 300 desktop computers from NCIX’s corporate offices and retails stores" and servers that NCIX had used to back up their hard disks, wrote Doering.
“In addition, there were also the 109 hard drives, which had been removed from servers before the auction and one large pallet of 400-500 used hard drives from various manufacturers.”
From those computers, Doering found 385,000 names, email addresses, phone numbers, IP addresses and “full credit card payment details in plain text for 258,000 users.”
He also discovered customer service inquiries including messages and contact information and confidential data, including credentials, invoices, photographs of customers’ ID, bills, and a former employee’s T4.
Jeff told Doering that some of those drives and the data on them had already been sold to “a foreign buyer” for $15,000 and that the same data was also sold to at least five other buyers.
“By this point I couldn’t believe my eyes, the data I had seen today contained some of the most damaging and extensive records I had ever come across covering at least seventeen years of business transactions,” wrote Doering.
“The data can easily be used to cash out credit cards, craft convincing phishing messages containing details on purchases and to commit identity theft.”
