Skip to main content

Privacy officials in B.C. and Ottawa are looking into a reported data breach involving former Canadian retailer NCIX, with millions of records – including customer names, addresses, phone numbers and payment information – said to have been made available through a Craigslist post.

Travis Doering, who runs a small cybersecurity firm in Vancouver known as Privacy Fly, in a post on his company website said he noticed last month that NCIX database servers were being sold online.

Mr. Doering said he arranged a meeting with the seller and was told NCIX – which filed for bankruptcy last year – had failed to pay a $150,000 warehouse bill and left the equipment behind. He said it contained 15 years of data.

Story continues below advertisement

“Data breaches by external actors are common in today’s digital world but what makes this set of data so damaging is that it contains every record NCIX ever held,” Mr. Doering wrote in the post, published last week.

Mr. Doering said the entire scenario "could have been avoided by simply implementing full disk encryption within their organization or destroying the drives as their bankruptcy loomed.”

NCIX, which had previously described itself as Canada’s largest computer component e-tailer with products shipped to hundreds of thousands of customers in this country and the United States, could not be reached for comment Friday.

A spokesperson at the Office of the Information and Privacy Commissioner for B.C. in an e-mail said it is aware of the apparent breach and is looking into the matter. The spokesperson said she could not provide further details on an active file.

A spokesperson for the Office of the Privacy Commissioner of Canada said it is also looking into the matter and reaching out to its B.C. counterparts. The spokesperson said the federal agency has not opened a formal investigation into the matter at this time.

Corporal Dennis Hwang, a spokesperson for the Richmond RCMP, said police received information Thursday about an individual who “may have been selling some of these computers with data that may have belonged to the well-known computer retailer. And that data has since been recovered.

“We have an investigation ongoing,” he said, adding he could not comment further.

Story continues below advertisement

Mr. Doering in an interview said the incident showed what can happen when companies don’t prioritize security. He said while last week’s post focused on NCIX, he plans to highlight similar data breaches by other companies.

“This is only one example. This is very common, for data to be trafficked after bankruptcy,” he said.

David Shipley, chief executive officer of cybersecurity firm Beauceron Security, said if the information in Mr. Doering’s post is correct the incident would rank “among the worst privacy breaches in the private sector that I’m aware of in Canada.

“It’s almost the digital equivalent of an oil spill with a bankrupt company,” he said. “Because who then pays for the clean-up? What recourse do victims truly have when a company no longer exists?”

Mr. Shipley said anyone who used a credit card that has not expired for an NCIX transaction should seriously consider getting a new card.

Report an error Editorial code of conduct
Due to technical reasons, we have temporarily removed commenting from our articles. We hope to have this fixed soon. Thank you for your patience. If you are looking to give feedback on our new site, please send it along to feedback@globeandmail.com. If you want to write a letter to the editor, please forward to letters@globeandmail.com.

Welcome to The Globe and Mail’s comment community. This is a space where subscribers can engage with each other and Globe staff. Non-subscribers can read and sort comments but will not be able to engage with them in any way. Click here to subscribe.

If you would like to write a letter to the editor, please forward it to letters@globeandmail.com. Readers can also interact with The Globe on Facebook and Twitter .

Welcome to The Globe and Mail’s comment community. This is a space where subscribers can engage with each other and Globe staff. Non-subscribers can read and sort comments but will not be able to engage with them in any way. Click here to subscribe.

If you would like to write a letter to the editor, please forward it to letters@globeandmail.com. Readers can also interact with The Globe on Facebook and Twitter .

Welcome to The Globe and Mail’s comment community. This is a space where subscribers can engage with each other and Globe staff.

We aim to create a safe and valuable space for discussion and debate. That means:

  • Treat others as you wish to be treated
  • Criticize ideas, not people
  • Stay on topic
  • Avoid the use of toxic and offensive language
  • Flag bad behaviour

Comments that violate our community guidelines will be removed.

Read our community guidelines here

Discussion loading ...

Cannabis pro newsletter
To view this site properly, enable cookies in your browser. Read our privacy policy to learn more.
How to enable cookies