September 27, 2018
A company that collects customer personal and financial information is responsible for that data whether it’s at rest, in transit, or at end-of-life.
What happens when a company goes bankrupt?
Normally when a company goes out of business it follows an orderly process in which operations are closed down and assets are sold off to pay creditors.
When Netlink Computer Inc. of Canada – a computer hardware and software retailers better known as NCIX – went bankrupt in December 2017, few people realized that a routine financial failure set in motion a series of events that would lead to a major – and completely avoidable – security breach.
NCIX had been in business for over 20 years and, at its most successful point, operated over a dozen stores across Canada as well as an active online business. Spreading beyond Canada, NCIX also served clients in the U.S. through a distribution center in California.
The challenge that tripped up NCIX was a common one: the company continued to rely on the business model that had made it successful in the first place and failed to adapt to changes in consumer buying patterns. As purchasing dollars increasingly went to online purchases NCIX continued to invest in expensive-to-operate retails stores instead of online infrastructure.
A data breach in the making
Many companies far larger than NCIX have failed to make the transition from brick and mortar to internet-based sales, so this bankruptcy was not at all unusual. What was unusual, particularly for a company specializing in information technology products and sales, was the cavalier way in which NCIX failed to protect the data in its care.
It now appears that records containing personal and credit details for all customers in the U.S. and Canada who made purchases from NCIX were offered for sale through a post on Craigslist. The records been housed on database servers the company essentially abandoned when it went bankrupt. Aside from the sheer volume of customer records was the startling fact that this represented every record NCIX created over the past 15 years.
There’s also an indication that over 500 NCIX desktop computers and some additional enterprise hardware was sold off earlier, though the status of data on those devices is unknown.
The person who discovered and publicized this breach was Travis Doering of Privacy Fly, a Vancouver-based cybersecurity company. While details are still emerging about how data-bearing servers moved from the NCIX data center through an auction house and into the hands of someone willing to sell the data for a profit, news sources have often jumped to the conclusion that the whole problem could have been avoided if only NCIX had encrypted the data.
Would encryption have eliminated the breach?
While certainly encryption would have helped, it’s important to note that the person offering the drives and data for sale didn’t need to resort to any fancy forensic methods to access the records stored on the NCIX servers. The seller already had the passwords necessary to access the databases.
And if those passwords were that readily available, knowing human nature it’s not a stretch to think that encryption keys would also have been recorded and easy to find, just like the passwords were.
So no, encryption alone would not necessarily have prevented data from being accessed once the servers were put up for grabs. The only sure solution would have been drive sanitization or destruction.
While this story continues to evolve the message is clear: this breach could have been avoided had NCIX taken normal, reasonable data security measures.
Every company that holds personally identifiable records must put policies in place to protect those records, and the simple act of closing a division – or the entire company – doesn’t remove that obligation. Further, the responsibility to protect data extends to any organization who takes ownership of an asset for resale…e.g., an auction company handling an asset liquidation.
Had NCIX engaged the services of a professional IT Asset Disposition company when they realized they needed to shut down, not only would the data have been eradicated but it’s quite possible they would have made money on the sale. The assets would have been tested and marketed to a more select pool of potential buyers which would have benefited both the owner and his creditors. Instead it appears NCIX management simply walked away and left the fate of their servers and data to their landlord, a non-specialist auction house, and eventually to people who realized they could profit from putting innocent customers at risk.
Even if the assets had no residual value and NCIX had to arrange to have the hard drives shredded and the equipment recycled, choosing to simply ignore legal requirements that require secure disposal of consumer information – e.g., Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) and the Fair and Accurate Credit Transactions Act of 2003 (FACTA) – was highly (and possibly criminally) negligent. Companies must ensure that media housing personally identifiable information is either destroyed or erased using methods that ensure the resident data cannot be reconstructed or recovered in any way.
The NCIX data breach is the latest example of how sloppy data management, lack of clear operational rules, and disregard for legal requirements work together to put individuals at risk.
While no company plans to fail, all companies have a responsibility to protect customer and employee private information. An ITAD provider can serve as an invaluable resource to ensure compliant data destruction and recover residual value when assets are removed from service whether that removal is part of an ongoing refresh cycle, the result of a facility closure, or an integral part of an orderly business shut-down.