Welcome back to our Data Breach of the Month series, where we look at a notable cyber incident or data breach from the past month. Sometimes we’ll offer deeper analysis of the latest big breach, and other times we’ll focus on a lesser known incident that has outsized implications for the security industry.
In each case, you’ll learn the type of data breached, the vulnerabilities or gaps that were exploited, and what organizations can do to remediate effectively and address potential root causes.
So without further ado, our breach of the month for September 2018 is… the exposed records of NCIX.
Before declaring bankruptcy, and ultimately closing its doors in December 2017, NCIX was a major Canadian computer retailer, with stores across British Columbia and Ontario. In recent weeks, NCIX servers containing terabytes of unencrypted data have appeared for sale on Craigslist. The seller was located in Richmond, BC, a suburb of Vancouver, and was offering servers for $1500 apiece. The seller claimed to also have access to hundreds of computers from NCIX offices.
Travis Doering, owner of cybersecurity firm Privacy Fly, investigated the sale, and found that the hardware contained massive amounts of private data, including names, addresses, email addresses, phone numbers, IP addresses, invoices, photos of customer ID, unsalted MD5 hashed passwords, hundreds of thousands of plain-text payment card details, and millions of customer orders.
None of the data was encrypted, and it appeared to include transactions going back 15 years. The seller told Doering he had already sold some of the data and was willing to sell copies of the data separately from the hardware.
How did it Happen?
On September 18, Doering posted a detailed article about his investigation into the Craigslist sale. Doering’s account of the story has not been perfectly verified, but Richmond Police are investigating, and a proposed class action lawsuit has been launched on behalf of NCIX customers.
If Doering’s story is accurate, NCIX seems to have kept far more customer data than was necessary, for far too long, and made major lapses in how they protected it. According to the class action lawsuit , after the company went bankrupt, a trustee was appointed to take possession of NCIX’s property. NCIX did not encrypt or destroy the information before handing over the servers and computers. The trustee then contracted an auctioneer to sell off the hardware, and during these sales, the data was unsecured and exposed to the public. In Doering’s article, the man selling the servers on Craigslist told Doering he had assisted in the auction process, and made sure to keep all the useful material.
How to Minimize the Risk of this Type of Breach
The mistakes made by NCIX are so glaring that this is a pretty simple one to avoid. Sensitive data should always be encrypted in storage, hard drives should be destroyed or securely wiped when decommissioned, and not every record should be retained indefinitely. There is no need for NCIX to have maintained this level of detailed customer data for more than 15 years. Unfortunately, when a company enters bankruptcy and closes down, they are left with little incentive to maintain proper information security.
A good way to minimize the risk of this kind of incident is to enforce standardized procedures in your company. While D3 is known for its SOAR tool, our long history in case and incident management has provided us with a deeply configurable platform that can be used to build workflows of almost any kind. So D3 customers will often use the platform to create playbooks for activities like decommissioning hardware, which might not be top of mind for anyone within the organization, but can create massive risk when the right steps are not followed—as illustrated by the case of NCIX. Having playbooks for these types of procedures supports users with step-by-step checklists, automated task assignments, and deadline notifications, in order to ensure that everything is performed correctly.
Thanks for joining us. We’ll see you back here next month for a new Data Breach of the Month.