Privacy officials in B.C. and Ottawa are looking into a reported data breach involving former Canadian retailer NCIX, with millions of records – including customer names, addresses, phone numbers and payment information – said to have been made available through a Craigslist post.
Travis Doering, who runs a small cybersecurity firm in Vancouver known as Privacy Fly, in a post on his company website said he noticed last month that NCIX database servers were being sold online.
Mr. Doering said he arranged a meeting with the seller and was told NCIX – which filed for bankruptcy last year – had failed to pay a $150,000 warehouse bill and left the equipment behind. He said it contained 15 years of data.
“Data breaches by external actors are common in today’s digital world but what makes this set of data so damaging is that it contains every record NCIX ever held,” Mr. Doering wrote in the post, published last week.
Mr. Doering said the entire scenario "could have been avoided by simply implementing full disk encryption within their organization or destroying the drives as their bankruptcy loomed.”
NCIX, which had previously described itself as Canada’s largest computer component e-tailer with products shipped to hundreds of thousands of customers in this country and the United States, could not be reached for comment Friday.
A spokesperson at the Office of the Information and Privacy Commissioner for B.C. in an e-mail said it is aware of the apparent breach and is looking into the matter. The spokesperson said she could not provide further details on an active file.
A spokesperson for the Office of the Privacy Commissioner of Canada said it is also looking into the matter and reaching out to its B.C. counterparts. The spokesperson said the federal agency has not opened a formal investigation into the matter at this time.
Corporal Dennis Hwang, a spokesperson for the Richmond RCMP, said police received information Thursday about an individual who “may have been selling some of these computers with data that may have belonged to the well-known computer retailer. And that data has since been recovered.
“We have an investigation ongoing,” he said, adding he could not comment further.
Mr. Doering in an interview said the incident showed what can happen when companies don’t prioritize security. He said while last week’s post focused on NCIX, he plans to highlight similar data breaches by other companies.
“This is only one example. This is very common, for data to be trafficked after bankruptcy,” he said.
David Shipley, chief executive officer of cybersecurity firm Beauceron Security, said if the information in Mr. Doering’s post is correct the incident would rank “among the worst privacy breaches in the private sector that I’m aware of in Canada.
“It’s almost the digital equivalent of an oil spill with a bankrupt company,” he said. “Because who then pays for the clean-up? What recourse do victims truly have when a company no longer exists?”
Mr. Shipley said anyone who used a credit card that has not expired for an NCIX transaction should seriously consider getting a new card.