NCIX DATA BREACH Travis Doering - 9/18/2018, 9:32 PM SKIP TO DATABASE DETAILS Millions of Canadian and American consumers are now at risk thanks to a series of shady backroom deals that have resulted in records detailing 15 years of business being sold.

Data Broker, a title that you likely associate with two common scenarios. The first being legal companies that focus on collecting, collating and analyzing data that is commonly used for insights and or making data driven behavior change. The second scenario is the the illegal sale of data, often conducted via shady online deals in which data is sold without consent via private forums or through public offerings conducted via online marketplaces. In the first legal scenario data companies often mine publicly accessible data, and strike deals to acquire private consumer data from third parties. Thanks to the use of terms of use agreements that allow companies sporting valuable consumer data to transfer that data to third parties with consent. In the second illegal option the data is commonly acquired by blackhat hackers and is the spoils of data breaches. Often the data is sold and used by organized crime or individual actors looking to profit from it via identity theft or cashing out financial data. Those two common scenarios aside, there is also an industry of grey market data sales being exploited by both sides that exists in between the black and white world of legal corporate deals and the illegal online trafficking of stolen data.

Maintaining a profitable business is a fragile balance of risk and reward and unfortunately many companies have disappeared into bankruptcy as of late. As we established above company’s value data and retain an alarming amount of personal information, whether it be destined for internal use or for sale to a third party. The retention of that data should make you ask an important question. What happens to it when a company’s assets are sold off? The answer can be complicated, as any sale of data is supposed to be determined by individual privacy policies, 3rd party agreements and regional laws. Radio Shack discovered just how complicated in 2015 when it attempted to sell its customer database and was later forced to destroy a sizable portion of it, but unfortunately the transparency and oversite that existed in Radio Shack’s case is often an abnormality rather than the standard. Thanks primarily to a dangerous combination of lazy IT policies and reckless sales practices that have resulted in databases being regularly purchased and resold in shady unrestricted deals by data brokers. The following editorial will take you inside one of those shadowy deals and shine a light upon their behavior in a series of dangerous warehouse meetings involving hacking, corporate espionage, and foreign buyers.

August 1st, 2018. A rare sunny day in rain ridden Vancouver, British Columbia. Typical of my introverted lifestyle, I found myself indulging my passion for used computer hardware by scouring Craigslist. Post after post of monotonous listings began to blend together as an intriguing title caught my eye. “NCIX Database Servers - $1500 (Richmond BC)”. The seller claimed to be offering two servers, one a Database Server from NCIX and another, a Database Reporting Server. The seller claimed to have acquired both from Vancouver based Able Auction’s. I would later find out that was a lie, crafted to conceal their true origin. I emailed the seller and plainly stated, “I am interested in the server, does it have data in the database or is it a fresh install? I am primarily interested in the data.” To which I received no reply.

August 21st, 2018. Twenty days had passed since my inquiry when I received the following response, “sorry for replying late, it has the data. it's unerased server contents.” The seller proceeds to inform me that he has three NCIX servers for sale for which he has the passwords required to login. These series of messages immediately renewed my curiosity and we arranged to meet in person to inspect the data on August 25th, 2018.

August 25th, 2018. I arrived to the agreed upon address, a warehouse in Richmond, British Columbia. I met an Asian man in his mid-thirties who identified himself as Jeff. He led me up a flight of stairs above the warehouse into a nearly empty office with cheap laminate flooring. The office contained three rooms. The first housed nothing but a child’s play mat. The second, a main room contained two cheap folding tables, some chairs and a tea stand. The third was sporting a bed, various electronics equipment and a NCIX Server propped up on a folding table in what I can only describe as feeling unsettlingly transient. I remember the thought crossing my mind that this was the kind of room someone could “disappear” in. Those thoughts were quickly dashed as Jeff’s young son came into the room, which put me at ease while also making me question why he would bring this son along on this deal.

I was then led by Jeff to the NCIX server on the table and handed passwords on a piece of paper. I sat down and began to review the contents of the hard disk. The first folder I opened was documents, where I found some passwords and notes from who I assume was a system administer for NCIX. I then stumbled upon various XML files which gave me some insight into what was inside the database files. Between a couple of different XML files, I found plain text names, usernames, passwords, and addresses. I then opened SQL Server Management Studio which is tool used to manage the database files. Unfortunately, this is where my exploring grinded to a halt.