Topics

Peter Vogel

Bankruptcy has customers fearing data breach

Voices Oct. 10, 2018

Former customers of NCIX Computers are concerned their personal data may have been unsecured following the company’s bankruptcy last year, writes Peter Vogel. (Wikimedia image)

Recently various news reports emerged concerning computer gear from bankrupt electronics retailer NCIX being offered for sale on sites such as Craigslist.

Over the past 20 years or so NCIX had become the go-to company for many computer hobbyists as well as for commercial and business customers. The company had several outlets in the Vancouver market, as well as in southern Ontario.

In addition to retail outlets, NCIX.com ran a well-regarded online presence for both Canadian and American customers. The site was extremely nimble and detailed and generally kept up to date.

I myself was a longtime customer of the chain, primarily buying components for computers and servers at my school. Whether it be in-store, online, or over the phone, my experience was always of a very professional, customer-centric operation.

All that changed Dec. 1, 2017. Without warning, all the stores failed to open that day. NCIX had effectively been pressed into receivership for failure to pay rent at its headquarters in Richmond. The website carried a hint that NCIX would continue as an online-only retailer, although that subsequently failed to materialize.

That was that. Over 40 years or so in the computer business I’ve seen many a store or chain come and go. Surely the failure of NCIX was no different.

There had been some hints of trouble at the computer retailer in social media circles. Some posters had noticed delays in processing returned items. Others noted that orders were taking weeks instead of days.

Fast forward to March 27 of this year. A colleague had written me to say she was in need of a new hard drive for her ailing desktop computer. She was intending to buy it from NCIX.

“What do you mean, you are going to buy from NCIX?” I replied somewhat incredulously. I described how the chain had gone under and that the stores were locked. “No” she said. “That can’t be the case. The company web site is still active; go look for yourself.”

I didn’t really want to waste time looking but did nonetheless. Sure enough, NCIX.com was still running, just as it had been prior to the stores shutting their doors. In fact the site was stuck in a time warp. The last updates referred to Nov. 30, along with vague references to Christmas specials.

In fact the full NCIX web site was operational. I was able to assemble orders, as it were, search the product database, check item stock, and the like. I didn’t follow through to the point of completing an order but I was immediately concerned about customer data.

From my perspective, the front-end, the public-facing web presence of NCIX, was running as if nothing had ever happened to the company. Whether that meant the back-end, the various database servers with customer records, was also running, I was not in a position to know.

However I was concerned enough that I decided to write a note to the Office of the Information and Privacy Commissioner (OIPC) for B.C., through its public Twitter presence @BCInfoPrivacy. I sent the following tweet:

@BCInfoPrivacy Wondering if the interesting case of bankrupt NCIX Computers is worth a look? Appears that the web site continues to function, unmanned, and that there may be old customer data that is accessible. Nothing on the site has changed since December 1.

I heard nothing in reply from the Privacy Commissioner’s office and frankly I didn’t give it much additional thought until a few weeks ago when a local security researcher posted a detailed account of dealings he had with an individual purporting to be selling server gear from NCIX.

Most troubling was that some of this gear contained extensive customer records and purchasing details. The seller was prepared to sell the gear, replete with the data, but there were indications that the data itself may already have been sold in whole or in part.

It appears NCIX managed its own server farm and did little to secure customer data, a violation of provincial and federal laws.

As of September, the OIPC has become involved in the NCIX case. Exactly how that plays out remains to be seen. It is believed the former owner of NCIX has left for China. It may be that action will be taken against the receiver or against the liquidator in control of the gear that came to be available on Craigslist. If, like me, you were an NCIX customer, watch for a class action suit over the way sensitive personal data was maintained.

A full six months has passed since I notified the OIPC of my concerns regarding the web presence of NCIX four months after the company ceased to operate. Whether that web presence was part of the server gear being offered for sale is not clear. It may have been operating from a commercial hosting service.

However, an investigation by the OIPC back in March might have been able to head off the subsequent sale of sensitive NCIX customer data. At the very least the OIPC should have acknowledged receipt of my note of concern.

Follow me on Facebook (facebook.com/PeterVogelCA) or on Twitter (@PeterVogel). [email protected]