7 votes

NCIX data breach - The WAN Show Sept 21, 2018

6 comments

  1. [3]
    cfabbro
    (edited )
    Link
    Context for the unaware: https://tildes.net/~tech/6ml/ncix_data_breach_after_bankruptcy_terabytes_of_unencrypted_customer_company_data_have_been_sold_to The show just started a few minutes ago......

    Context for the unaware:
    https://tildes.net/~tech/6ml/ncix_data_breach_after_bankruptcy_terabytes_of_unencrypted_customer_company_data_have_been_sold_to

    The show just started a few minutes ago... they had some technical issues (accidentally streaming to the test channel) so it was 30 min late today. I'm kind of sad Linus isn't on the show today though, since I really wanted to hear his opinion on the breach given his former position within the company as a senior category manager and host of NCIX Tech Tips (he quit 5 years ago so had nothing to do with this leak though).


    Summary of what they discussed related to the leak:

    • RCMP has recovered the storage devices that were being resold. However it's too late... those drives had already been bought and sold several times already, the leaked data was backed up, is still out there and slowly being leaked.

    • What has been confirmed in the leaked data so far: Records going back over 13 years (and up to late 2017) including customer email addresses, home addresses with postal codes, credit card numbers, NCIX.com account passwords in plaintext as well as NCIX employees Social Insurance Numbers (Canada's version of SSN) and copies of T4 tax forms.

    • NCIX records for both US and Canada are included in the leak.


    Show is done now. Archived video is viewable. They spent the first ~20 min of the show talking about the leak if anyone just wants to watch that part.

    5 votes
    1. [2]
      Neverland
      Link Parent
      It seems like “Jeff,” the seller, was committing a crime knowingly selling credit card info, right?

      It seems like “Jeff,” the seller, was committing a crime knowingly selling credit card info, right?

      1 vote
      1. cfabbro
        (edited )
        Link Parent
        I imagine so, yeah. And now that the RCMP are on the case I'm sure they will slowly start working their way back through all the previous people that knowingly bought/sold the drives for that...

        I imagine so, yeah. And now that the RCMP are on the case I'm sure they will slowly start working their way back through all the previous people that knowingly bought/sold the drives for that purpose, too. If I was Jeff, I would be worried.

        1 vote
  2. [3]
    pseudolobster
    Link
    Wow, this feels really weird. I know for certain my info is in that database. I lived in Vancouver for years, and NCIX was one of the best places to buy hardware. Over the years I've read about...

    Wow, this feels really weird. I know for certain my info is in that database. I lived in Vancouver for years, and NCIX was one of the best places to buy hardware. Over the years I've read about all these data breaches, but this is the first time I've had my data compromised in one.

    Luckily, the last time I bought anything from NCIX was over 10 years ago, so the info in there is an old address, phone number, and credit card number. Still, feels really weird knowing this happened and there's nothing I could have done to stop it.

    2 votes
    1. [2]
      cfabbro
      Link Parent
      Are you so sure about that? https://haveibeenpwned.com/ But yeah, I hear you. I live in Toronto but also regularly used to buy components from NCIX here, so I have no doubt my info is included in...

      Over the years I've read about all these data breaches, but this is the first time I've had my data compromised in one.

      Are you so sure about that? https://haveibeenpwned.com/

      But yeah, I hear you. I live in Toronto but also regularly used to buy components from NCIX here, so I have no doubt my info is included in the leak as well. Although, same as you, it will be super old info so I am not particularly worried.

      1 vote
      1. pseudolobster
        Link Parent
        Well, I'm in there, but only for things like Disqus and an old adobe account I used for downloading something. My email is in some pastebins, paired with a username I don't use often, probably a...

        Well, I'm in there, but only for things like Disqus and an old adobe account I used for downloading something. My email is in some pastebins, paired with a username I don't use often, probably a forum or something. Basically all throwaway accounts I wouldn't have used a strong password for anyway, and I certainly didn't enter any real address, credit card, or other personal info.

        This one is weird for me because it's going to be real data about me. An actual address and phone number I had at one point. Possibly an old credit card number if I used one. Serial numbers for hardware I owned or possibly still own. And there's nothing I could have done differently to prevent this from happening.

        It's not very important data, and I'm certainly not worried about it, but it makes the whole thing a lot more real for me knowing my name is almost certainly in there.

        2 votes