NCIX DATABREACH


Millions of Canadian and American consumers are now at risk thanks to a series of shady backroom deals that have resulted in records detailing 15 years of business being sold.

Data Broker, a title that you likely associate with two common scenarios. The first being legal companies that focus on collecting, collating and analyzing data that is commonly used for insights and or making data driven behavior change. The second scenario is the the illegal sale of data, often conducted via shady online deals in which data is sold without consent via private forums or through public offerings conducted via online marketplaces. In the first legal scenario data companies often mine publicly accessible data, and strike deals to acquire private consumer data from third parties. Thanks to the use of terms of use agreements that allow companies sporting valuable consumer data to transfer that data to third parties with consent. In the second illegal option the data is commonly acquired by blackhat hackers and is the spoils of data breaches. Often the data is sold and used by organized crime or individual actors looking to profit from it via identity theft or cashing out financial data. Those two common scenarios aside, there is also an industry of grey market data sales being exploited by both sides that exists in between the black and white world of legal corporate deals and the illegal online trafficking of stolen data.

Maintaining a profitable business is a fragile balance of risk and reward and unfortunately many companies have disappeared into bankruptcy as of late. As we established above company’s value data and retain an alarming amount of personal information, whether it be destined for internal use or for sale to a third party. The retention of that data should make you ask an important question. What happens to it when a company’s assets are sold off? The answer can be complicated, as any sale of data is supposed to be determined by individual privacy policies, 3rd party agreements and regional laws. Radio Shack discovered just how complicated in 2015 when it attempted to sell its customer database and was later forced to destroy a sizable portion of it, but unfortunately the transparency and oversite that existed in Radio Shack’s case is often an abnormality rather than the standard. Thanks primarily to a dangerous combination of lazy IT policies and reckless sales practices that have resulted in databases being regularly purchased and resold in shady unrestricted deals by data brokers. The following editorial will take you inside one of those shadowy deals and shine a light upon their behavior in a series of dangerous warehouse meetings involving hacking, corporate espionage, and foreign buyers.

August 1, 2018. A rare sunny day in rain ridden Vancouver, British Columbia. Typical of my introverted lifestyle, I found myself indulging my passion for used computer hardware by scouring Craigslist. Post after post of monotonous listings began to blend together as an intriguing title caught my eye. “NCIX Database Servers - $1500 (Richmond BC)”. The seller claimed to be offering two servers, one a Database Server from NCIX and another, a Database Reporting Server. The seller claimed to have acquired both from Vancouver based Able Auction’s. I would later find out that was a lie, crafted to conceal their true origin. I emailed the seller and plainly stated, “I am interested in the server, does it have data in the database or is it a fresh install? I am primarily interested in the data.” To which I received no reply.

August 21st, 2018. Twenty days had passed since my inquiry when I received the following response, “sorry for replying late, it has the data. it's unerased server contents.” The seller proceeds to inform me that he has three NCIX servers for sale for which he has the passwords required to login. These series of messages immediately renewed my curiosity and we arranged to meet in person to inspect the data on August 25th, 2018.

August 25th, 2018. I arrived to the agreed upon address, a warehouse in Richmond, British Columbia. I met an Asian man in his mid-thirties who identified himself as Jeff. He led me up a flight of stairs above the warehouse into a nearly empty office with cheap laminate flooring. The office contained three rooms. The first housed nothing but a child’s play mat. The second, a main room contained two cheap folding tables, some chairs and a tea stand. The third was sporting a bed, various electronics equipment and a NCIX Server propped up on a folding table in what I can only describe as feeling unsettlingly transient. I remember the thought crossing my mind that this was the kind of room someone could “disappear” in. Those thoughts were quickly dashed as Jeff’s young son came into the room, which put me at ease while also making me question why he would bring this son along on this deal.

I was then led by Jeff to the NCIX server on the table and handed passwords on a piece of paper. I sat down and began to review the contents of the hard disk. The first folder I opened was documents, where I found some passwords and notes from who I assume was a system administer for NCIX. I then stumbled upon various XML files which gave me some insight into what was inside the database files. Between a couple of different XML files, I found plain text names, usernames, passwords, and addresses. I then opened SQL Server Management Studio which is tool used to manage the database files. Unfortunately, this is where my exploring grinded to a halt.

NCIX SQL Error | NCIX BREACH

I was unable to open any tables of information as the databases had been housed on a network drive which was no longer connected to the machine. I turned to Jeff who was standing over me like a vulture awaiting his next meal and inquired about the network drive, to which I received an unsettling response. He proceeded to tell me that not only did he have the network drive that I was inquiring about, but he also possessed NCIX’s entire server farm from the east coast which was shipped back to their Richmond warehouse several months ago. I thought these revelations to be shocking enough, however I would later discover that the data on those servers was only the tip of the ice berg. Jeff and I agreed to meet again on September 5th, 2018 after he had located all the hard drives for me to analyze.

Throughout the holiday weekend Jeff and I exchanged a series of emails, as I slowly learned more about what was being offered and his role within our deal. I crafted a story in which I was a lowly network engineer from a competing computer company that was looking to obtain the data. My thought was to paint myself as a cog in the machine to identify with Jeff. Fortunately, this fiction gained traction as Jeff confided in me that NCIX had been renting a portion of a warehouse in Richmond where all the hardware is currently located. He explained that the owner of the hardware is currently NCIX’s previous landlord, as NCIX had abandoned the hardware when they failed to pay a past due rent total of $150,000. Jeff stated that he was a former systems administrator for a Richmond based telecommunications company and was helping NCIX’s landlord recover the money he was owed in exchange for being able to copy the source code, and database to aid his development team on a project. I was unable to figure out who Jeff was currently working for, or what exactly they had been developing. Jeff proceeded to tell me that he had previously assisted the landlord in selling 500 of NCIX’s desktop computers and some enterprise hardware via Able Auctions in April of this year. Jeff assured me that while some hardware had been sold, he was careful to retain all the useful hard disks which he described as unencrypted and “cracked”.

NCIX Hard Drives | NCIX BREACH

I further learned that he still possessed around 300 desktop computers from NCIX’s corporate offices and retails stores, 18 DELL Poweredge servers, as well as at least two Supermicro server’s running StarWind iSCSI Software that NCIX had used to back up their hard disks. In addition, there where also the 109 hard drives which had been removed from servers before auction and one large pallet of 400-500 used hard drives from various manufactures. Jeff believed these contained a combination of functional but decommissioned hard drives used by NCIX and customer data from machine’s that had been in for repair at the time of bankruptcy.

September 5th, 2018. I arrived at the Warehouse midday this time with slightly more insight into the software required to open and analyze the various files strewn among the 109 hard drives. I once again was ushered upstairs, where Jeff had prepared two supermicro server’s running StarWind iSCSI Software and one of the 300 desktops as a sample. I first sat down at the desktop and discovered that it was used by a former NCIX employee named Chadwick Ma. The computer contained a treasure trove of confidential data including credentials, invoices, photographs of customers ID’s, Bills, and Mr. Ma’s T4 among other files.

NCIX Desktop Sample | NCIX BREACH

I remember the feeling of dread as it came over me when I imagined what could have been exposed in those 500 desktops previously sold unencrypted and unwiped via Able Auctions. I then moved on to one of the Supermicro servers and began to mount various disk image files using the StarWind software. The first image I explored contained multiple folders of invoices from their retail stores, while the second contained of images of devices. I mounted one image belonging to Steve Wu the founder of NCIX. Inside I found data going back 13 years, financial documents, employment letters containing SIN numbers, and data from Mr. Wu’s home computer which featured personal documents and images of his family mixed in with numerous private photos of high end escorts from mainland china. I then moved forward with examining some of the SQL databases titled nciwww.MDF, payroll_Data.MDF, OrdersSql.MDF, posreports.MDF, among other names and this where things got increasingly worrisome.