August 1, 2018. A rare sunny day in rain ridden Vancouver, British Columbia. Typical of my introverted lifestyle, I found myself indulging my passion for used computer hardware by scouring Craigslist. Post after post of monotonous listings began to blend together as an intriguing title caught my eye. “NCIX Database Servers - $1500 (Richmond BC)”. The seller claimed to be offering two servers, one a Database Server from NCIX and another, a Database Reporting Server. The seller claimed to have acquired both from Vancouver based Able Auction’s. I would later find out that was a lie, crafted to conceal their true origin. I emailed the seller and plainly stated, “I am interested in the server, does it have data in the database or is it a fresh install? I am primarily interested in the data.” To which I received no reply.
August 21st, 2018. Twenty days had passed since my inquiry when I received the following response, “sorry for replying late, it has the data. it's unerased server contents.” The seller proceeds to inform me that he has three NCIX servers for sale for which he has the passwords required to login. These series of messages immediately renewed my curiosity and we arranged to meet in person to inspect the data on August 25th, 2018.
Quote:
The nciwww file contained 291 tables from their NCIX US store and had multiple versions of the file with data going back to 2007. The version I spent time analyzing was dated between November 2013 to February 2015. All the various versions of the MDF database files had been unencrypted with the last file being dated in 2017 for most of the databases. The nciwww database contained a thousand records from affiliates listing plain text passwords, addresses, names, and some financial data. In another table of information, I found customer service inquiries including messages and contact information. There were also three hundred eighty-five thousand names, serial numbers with dates of purchase, addresses, company names, email addresses, phone numbers, IP addresses and unsalted MD5 hashed passwords. The database also contained full credit card payment details in plain text for two hundred and fifty-eight thousand users between various tables.
Goddamn that company was shady but...goddamn. There must be some kind of possible class-action suit here.
The officers of the company would still be liable under their fiduciary duty to the customers.
Fiduciary to customers by Officers? You wish. Perhaps criminal level negligence by someone auctioning off servers with data (could even be the court appointed trustee), but you're likely thinking of fiduciary duty to shareholders by the directors that often can create liability, but any director worth their salt would have proper insurance.
There must be some kind of possible class-action suit here.
Considering the payout for a government employee losing a drive with unencrypted student loans info (which is infinitely more sensitive than an old credit card number) was $60, this one should net me a sweet 25 cents.
Might have got my terminology not quite straight, but wouldn't that insurance be a target for a lawsuit?
Might be a target, but proving a director didn't do their due diligence or duties around a bankruptcy sale would be tough to prove; not really up to them to ensure its disposed of right unless they pushed for it or otherwise caused it to happen.