Unwiped servers and drives from NCIX appear on Craigslist

Servers and disk drives from dissolved computer company NCIX have been found for sale on US trading site Craigslist, with all customer, partner and employee data still recoverable.

Although it's unclear who's selling them, one seller said they were helping the landlord get rid of equipment left in their warehouse after the Canadian company went bust last year.

Bleeping Computer reported that security consultant Travis Doering decided to try and buy one of the servers to investigate into whether they were being sold with any data still on them. After seeing one for sale on Craigslist, he set about buying it and was successful.

The seller said he was offering an entire server farm on behalf of the landlord. He also had 300 desktop computers as well as the 18 DELL PowerEdge servers and two SuperMicro servers with StarWind iSCSI software.

Apparently, NCIX had failed to pay the property owner CAD150,000 in rent and so he was trying to recoup the costs by selling the equipment, without clearing it securely.

One of the servers Doering bought contained the data from 3,848,000 orders placed between 2007 and 2010, including names, email addresses, company names, addresses, phone numbers and even payment data.

In all, there was payment data relating to more than 250,000 customers.

Another dataset included unsalted MD5 hashed passwords for 385,000 customers.

The seller's name was Jeff and although speculators think it could be NCIX's former CEO, Jeff Chiang, who wants to make some quick cash, Doering said he didn't think that was the case.

However, whoever is selling the equipment risks getting into serious trouble for essentially selling customer data illegally.

"Both sellers and buyers of the customer records, allegedly belonging to the retailer, can face harsh legal ramifications," High-Tech Bridge's CEO Ilia Kolochenko commented. "Under certain sets of circumstances it can be a serious criminal offense, however, it is too early to make any decisive conclusions prior to thorough investigation of the incident."

But, as NCIX has gone bust, compensation claims are unlikely to fly as there's no one to pay them except those selling the equipment and it's unlikely they'll have the funds to cover any costs like that.

"Nowadays, such negligence is unfortunately not all that uncommon, even amid operating and profitable companies, let alone bankrupt ones, Kolochenko added. "Many large organisations have been exposed for throwing away plaintext PII and other sensitive data of their customers on paper, hard drives or mobile devices.

"This is why certifications similar to ISO 27001 play an important role to ensure that at least the fundamental of information security management are properly implemented in a company."