NCIX DATA BREACH

Travis Doering - 9/18/2018, 9:32 PM

SKIP TO DATABASE DETAILS

Millions of Canadian and American consumers are now at risk thanks to a series of shady backroom deals that have resulted in records detailing 15 years of business being sold.

Data Broker, a title that you likely associate with two common scenarios. The first being legal companies that focus on collecting, collating and analyzing data that is commonly used for insights and or making data driven behavior change. The second scenario is the the illegal sale of data, often conducted via shady online deals in which data is sold without consent via private forums or through public offerings conducted via online marketplaces. In the first legal scenario data companies often mine publicly accessible data, and strike deals to acquire private consumer data from third parties. Thanks to the use of terms of use agreements that allow companies sporting valuable consumer data to transfer that data to third parties with consent. In the second illegal option the data is commonly acquired by blackhat hackers and is the spoils of data breaches. Often the data is sold and used by organized crime or individual actors looking to profit from it via identity theft or cashing out financial data. Those two common scenarios aside, there is also an industry of grey market data sales being exploited by both sides that exists in between the black and white world of legal corporate deals and the illegal online trafficking of stolen data.

Maintaining a profitable business is a fragile balance of risk and reward and unfortunately many companies have disappeared into bankruptcy as of late. As we established above company’s value data and retain an alarming amount of personal information, whether it be destined for internal use or for sale to a third party. The retention of that data should make you ask an important question. What happens to it when a company’s assets are sold off? The answer can be complicated, as any sale of data is supposed to be determined by individual privacy policies, 3rd party agreements and regional laws. Radio Shack discovered just how complicated in 2015 when it attempted to sell its customer database and was later forced to destroy a sizable portion of it, but unfortunately the transparency and oversite that existed in Radio Shack’s case is often an abnormality rather than the standard. Thanks primarily to a dangerous combination of lazy IT policies and reckless sales practices that have resulted in databases being regularly purchased and resold in shady unrestricted deals by data brokers. The following editorial will take you inside one of those shadowy deals and shine a light upon their behavior in a series of dangerous warehouse meetings involving hacking, corporate espionage, and foreign buyers.

August 1st, 2018. A rare sunny day in rain ridden Vancouver, British Columbia. Typical of my introverted lifestyle, I found myself indulging my passion for used computer hardware by scouring Craigslist. Post after post of monotonous listings began to blend together as an intriguing title caught my eye. “NCIX Database Servers - $1500 (Richmond BC)”. The seller claimed to be offering two servers, one a Database Server from NCIX and another, a Database Reporting Server. The seller claimed to have acquired both from Vancouver based Able Auction’s. I would later find out that was a lie, crafted to conceal their true origin. I emailed the seller and plainly stated, “I am interested in the server, does it have data in the database or is it a fresh install? I am primarily interested in the data.” To which I received no reply.

August 21st, 2018. Twenty days had passed since my inquiry when I received the following response, “sorry for replying late, it has the data. it's unerased server contents.” The seller proceeds to inform me that he has three NCIX servers for sale for which he has the passwords required to login. These series of messages immediately renewed my curiosity and we arranged to meet in person to inspect the data on August 25th, 2018.

August 25th, 2018. I arrived to the agreed upon address, a warehouse in Richmond, British Columbia. I met an Asian man in his mid-thirties who identified himself as Jeff. He led me up a flight of stairs above the warehouse into a nearly empty office with cheap laminate flooring. The office contained three rooms. The first housed nothing but a child’s play mat. The second, a main room contained two cheap folding tables, some chairs and a tea stand. The third was sporting a bed, various electronics equipment and a NCIX Server propped up on a folding table in what I can only describe as feeling unsettlingly transient. I remember the thought crossing my mind that this was the kind of room someone could “disappear” in. Those thoughts were quickly dashed as Jeff’s young son came into the room, which put me at ease while also making me question why he would bring this son along on this deal.

I was then led by Jeff to the NCIX server on the table and handed passwords on a piece of paper. I sat down and began to review the contents of the hard disk. The first folder I opened was documents, where I found some passwords and notes from who I assume was a system administer for NCIX. I then stumbled upon various XML files which gave me some insight into what was inside the database files. Between a couple of different XML files, I found plain text names, usernames, passwords, and addresses. I then opened SQL Server Management Studio which is tool used to manage the database files. Unfortunately, this is where my exploring grinded to a halt.

NCIX SQL Error | NCIX BREACH

I was unable to open any tables of information as the databases had been housed on a network drive which was no longer connected to the machine. I turned to Jeff who was standing over me like a vulture awaiting his next meal and inquired about the network drive, to which I received an unsettling response. He proceeded to tell me that not only did he have the network drive that I was inquiring about, but he also possessed NCIX’s entire server farm from the east coast which was shipped back to their Richmond warehouse several months ago. I thought these revelations to be shocking enough, however I would later discover that the data on those servers was only the tip of the ice berg. Jeff and I agreed to meet again on September 5th, 2018 after he had located all the hard drives for me to analyze.

Throughout the holiday weekend Jeff and I exchanged a series of emails, as I slowly learned more about what was being offered and his role within our deal. I crafted a story in which I was a lowly network engineer from a competing computer company that was looking to obtain the data. My thought was to paint myself as a cog in the machine to identify with Jeff. Fortunately, this fiction gained traction as Jeff confided in me that NCIX had been renting a portion of a warehouse in Richmond where all the hardware is currently located. He explained that the owner of the hardware is currently NCIX’s previous landlord, as NCIX had abandoned the hardware when they failed to pay a past due rent total of $150,000. Jeff stated that he was a former systems administrator for a Richmond based telecommunications company and was helping NCIX’s landlord recover the money he was owed in exchange for being able to copy the source code, and database to aid his development team on a project. I was unable to figure out who Jeff was currently working for, or what exactly they had been developing. Jeff proceeded to tell me that he had previously assisted the landlord in selling 500 of NCIX’s desktop computers and some enterprise hardware via Able Auctions in April of this year. Jeff assured me that while some hardware had been sold, he was careful to retain all the useful hard disks which he described as unencrypted and “cracked”.

NCIX Hard Drives | NCIX BREACH

I further learned that he still possessed around 300 desktop computers from NCIX’s corporate offices and retails stores, 18 DELL Poweredge servers, as well as at least two Supermicro server’s running StarWind iSCSI Software that NCIX had used to back up their hard disks. In addition, there where also the 109 hard drives which had been removed from servers before auction and one large pallet of 400-500 used hard drives from various manufactures. Jeff believed these contained a combination of functional but decommissioned hard drives used by NCIX and customer data from machine’s that had been in for repair at the time of bankruptcy.

September 5th, 2018. I arrived at the Warehouse midday this time with slightly more insight into the software required to open and analyze the various files strewn among the 109 hard drives. I once again was ushered upstairs, where Jeff had prepared two supermicro server’s running StarWind iSCSI Software and one of the 300 desktops as a sample. I first sat down at the desktop and discovered that it was used by a former NCIX employee named Chadwick Ma. The computer contained a treasure trove of confidential data including credentials, invoices, photographs of customers ID’s, Bills, and Mr. Ma’s T4 among other files.

NCIX Desktop Sample | NCIX BREACH

I remember the feeling of dread as it came over me when I imagined what could have been exposed in those 500 desktops previously sold unencrypted and unwiped via Able Auctions. I then moved on to one of the Supermicro servers and began to mount various disk image files using the StarWind software. The first image I explored contained multiple folders of invoices from their retail stores, while the second contained of images of devices. I mounted one image belonging to Steve Wu the founder of NCIX. Inside I found data going back 13 years, financial documents, employment letters containing SIN numbers, and data from Mr. Wu’s home computer which featured personal documents and images of his family mixed in with numerous private photos of high end escorts from mainland china. I then moved forward with examining some of the SQL databases titled nciwww.MDF, payroll_Data.MDF, OrdersSql.MDF, posreports.MDF, among other names and this where things got increasingly worrisome.

Privacy Fly Sales

Looking to improve your security?

Here at Privacy Fly we help individuals harden their cyber defenses with managed enterprise level solutions made easy.

NCIX US Database Table | NCIX BREACH

The nciwww file contained 291 tables from their NCIX US store and had multiple versions of the file with data going back to 2007. The version I spent time analyzing was dated between November 2013 to February 2015. All the various versions of the MDF database files had been unencrypted with the last file being dated in 2017 for most of the databases. The nciwww database contained a thousand records from affiliates listing plain text passwords, addresses, names, and some financial data. In another table of information, I found customer service inquiries including messages and contact information. There were also three hundred eighty-five thousand names, serial numbers with dates of purchase, addresses, company names, email addresses, phone numbers, IP addresses and unsalted MD5 hashed passwords. The database also contained full credit card payment details in plain text for two hundred and fifty-eight thousand users between various tables.

NCIX Canada Database Table | NCIX BREACH

NCIX Invoice Table | NCIX BREACH

I then opened one of the Canadian databases titled OrdersSql_Data, it contained many versions going back 15 years with the most recent dated in 2017. The version I opened contained three million, eight hundred forty-eight thousand records covering January 2007 through July 2010. Contents included names, company names, items purchased with serial numbers, addresses, phone numbers, and payment data. I also opened a more recent version of the file and it contained the addition of email addresses. As time ticked by, I quickly looked at more databases and discovered data from a financing program, employee records and vendor pricing. There were also countless database files that I didn’t have time to open and I can only imagine what other damaging data was housed within. At this point I had about an hour left to analyze data and decided I would open a couple more drive images. I discovered several XVA and VHD files that are used by a virtualization program called XenServer, all of which contained more confidential data such as their company emails and source code. There was an also entire group of disk drives that I was unable to examine as I ran out of time, but Jeff was kind enough to explain in detail what they contained. The hard drives contained intellectual property from NCIX’s ventures into manufacturing and other confidential documents from their network storage devices.

NCIX IMG Files Sample | NCIX BREACH

By this point I couldn’t believe my eyes, the data I had seen today contained some the most damaging and extensive records I had ever come across covering at least seventeen years of business transitions. Data breaches by external actors are common in todays digital world but what makes this set of data so damaging is that it contains every record NCIX ever held. Including their backup files which had been kept in a segregated air gapped machine that regardless of skill level no external attacker would have plundered.

The examination portion of the meeting began to wind-down as time flew by and Jeff jumped into brokering a deal over a cup of tea. The first offer was thirty-five thousand dollars which would allow me to purchase all the desktop’s and server hardware, excluding one group of hard drives that I had analyzed which he would allow me to copy. This struck me as strange and I inquired as to why I couldn’t purchase those drives. He explained that those drives and the data on them had already sold for around fifteen thousand dollars to a foreign buyer who was arriving in Vancouver to acquire them in December. “December” I quipped in questioning tone which, prompted Jeff to explain that even though the buyer was picking up the physical drives in December. Jeff had already copied the data from those drives to a network storage device and allowed the buyers remote access. The data on those drives contained thirteen terabytes of SQL databases and various VHD and Xen server backup files. I cringed at the thought of that data being sold once, as it was dangerous enough when during further conversation Jeff mentioned at least five other buyers. Jeff described one as a completing retailer while the other three Jeff claimed to “Not Want to Know” their intentions or business. Armed with the knowledge that Jeff was willing to sell the data without all the hardware attached to the deal, I mentioned that I had little use for hardware which prompted him to make a considerably shadier proposal. Jeff stated that I could pay fifteen thousand dollars to copy all the data from the hard drives including the ones that he had previously sold. This scenario would playout with my employer paying fifteen thousand dollars to “Rent the Room” and he would provide me with a couple of desks and some servers to image all the data onto my own drives. Jeff and I tentatively agreed on the second deal and I quickly exited the warehouse.

On my way out, I couldn’t help but think about how Jeff boasted that he was able to “crack their ISCSI server with very simple tools in five minutes” and called their security “really, really, bad” and I would whole heartedly agree with him there. This entire scenario could have been avoided by simply implementing full disk encryption within their organization or destroying the drives as their bankruptcy loomed. NCIX founder Steve Wu worked in IT for many years and fully understood the risk involved in his choice not to encrypt any data and then the repercussions of him abandoning the assets in a warehouse. Mr. Wu’s reckless behavior has harmed every individual and business NCIX dealt with, by allowing millions of confidential records to be sold without any oversight to anonymous buyers. The data can easily be used to cash out credit cards, craft convincing phishing messages containing details on purchases and commit identity theft.

NCIX Credit Cards | NCIX BREACH

Businesses will only provide the level of security that consumers demand of them. It is time for all of us to demand more. The next time you hand over personal information don’t be afraid to ask three simple questions. Is the data you hold encrypted?, Which departments have access to it?, and Why do you require this information?

Loss of physical assets can happen to any company whether it be via theft, a careless employee or the result of a bankruptcy. I hope that this editorial helps underline the importance taking local threats into account when designing a cyber security game plan.

NOTE FOR PRESS: If you choose to write an article based on this information, you are welcome to reuse any content from this article. Please mention the source.

Privacy Fly Sales

Here at Privacy Fly we help individuals harden their cyber defenses with managed enterprise level solutions made easy.