guess someone will sue the landlords
Dead retailer's 'customer data' turns up on seized kit, unencrypted and very much for sale
Servers that once belonged to defunct Canadian gadget retailer NCIX turned up on the second-hand market without being wiped – and their customer data sold overseas – it is claimed. Those boxes, allegedly, stored plaintext credit card data for approximately 260,000 people, and purchase records for 385,000 shoppers. Travis …
COMMENTS
-
-
Friday 21st September 2018 07:00 GMT Anonymous Coward
Why?
Why should the landlord be under an obligation to check what's on the drives and clean them off? The landlord almost certainly wasn't selling stuff directly, but had contracted with a third party for disposal of everything left behind, from servers to whiteboards in conference rooms, in exchange for a cut of the sale proceeds. The landlord already got screwed for back rent, should they be more screwed by adding additional burdens on them?
-
Friday 21st September 2018 08:52 GMT Anonymous Coward
Re: Why?
That they subcontracted their responsibility doesn't make it any less THEIR responsibility, because as they seized stuff, it became THEIR property.
Or else, it'd be too easy to say "Hey, we found barrels of drugs, so we subcontracted to sell them, it's all fine, right?"
So yes, I do hope the landlords get sued, as the effective data controller at the time of the breach.
-
Friday 21st September 2018 13:25 GMT Anonymous Coward
Re: Why?
The landlord wasn't responsible for putting the data on the servers, and never "takes possession" of said data - how would they even know what is on the drives? Comparing it with finding drugs is ridiculous - sale/possession of drugs is illegal. Sale/possession of servers is not.
If the business left dozens of filing cabinets, and had them hauled to the dump along with worn carpet, broken chairs etc., should they be held responsible if someone goes down to the dump, opens the filing cabinets, and finds people's personal data on the paper stored in them? I guess you think they should open the filing cabinets and shred/burn every scrap of paper just in case it contains something sensitive?
If you take the view that once the tenant is evicted that the servers as well as the data on them is now the responsibility of the landlord whether they like it or not, the tenant could deliberately bankrupt the landlord. Let's say the landlord has been threatening the tenant with eviction, and the tenant decides to get him back should that occur. The tenant includes a dead man's switch in their code which requires a daily deactivation.
The day the landlord comes and changes the locks, the servers are still running, but this time the tenant doesn't deactivate. With the dead man's switch activated, the servers now allow anyone to download the personal information of all customers in a convenient zip file (they can make it look like a bug, that was intended to only allow the company owner to download the data) Since in your world the landlord takes responsibility for said data when they evict the tenant, the landlord is now liable for a major violation of the GDPR!
-
Friday 21st September 2018 14:02 GMT DavCrav
@DougS: Re: Why?
"[Lots of stuff about dumping stuff and things, all irrelevant]"
They are selling stuff, not chucking it in the bin. Once you start selling things to people, yes you are responsible for what you sell. Amazingly.
Computers have data on them. This much is obvious. There's a pretty good chance that a company's computers have sensitive data, including personal data of customers, suppliers, employees, etc. There's no chance you are going to get away with a 'but how was I to know that the payroll computer had payroll details on it?'
-
-
-
-
Friday 21st September 2018 14:08 GMT Chris Evans
Re: Why?
Yes that was the first breach, but everyone in the chain are in breach. Ignorance of the law is no defence.
If you buy any second hand storage, the first thing you should do is wipe all data and when I say wipe I mean so it can't be recovered. Remember in the UK possessing certain types of pornographic images is illegal and IIRC people have been convicted even when the courts accepted that they didn't know they had them.
-
Friday 21st September 2018 16:55 GMT Anonymous Coward
Re: So.... back to suing NCIX then?
Well, no. The landlords assumed ownership of the equipment, and then failed to destroy the PII contained on the equipment before they resold it. They're responsible.
I used to work for a company that purchased and resold defaulted properties. Every once in a while, we would be deployed with an acquisitions officer because the previous tenants left computer equipment behind. Before we removed any of the equipment from the location, we first inventoried it and gave it a DBAN wipe. We then signed documentation affirming that we did not view or copy the data before we wiped the equipment.
Cumbersome? Sure, but this is what we decided needed to be done to avoid liability and prosecution. YMMV.
-
Friday 21st September 2018 17:53 GMT Anonymous Coward
Re: So.... back to suing NCIX then?
Uhhh, this might be obvious, but the landlord's names isn't on any of the EULAs that 300,000 customers were in agreement with.
How do you not get caught selling shit like this on Craiglist? I've seen far less shady ads draw attention and even a couple ads turned in to Be On the Lookouts (BOLOs). I myself had Xbox seller arrested in front of me at a gas station.
-
-
-
-
Friday 21st September 2018 13:08 GMT DavCrav
Re: Why?
"Why should the landlord be under an obligation to check what's on the drives and clean them off? The landlord almost certainly wasn't selling stuff directly, but had contracted with a third party for disposal of everything left behind, from servers to whiteboards in conference rooms, in exchange for a cut of the sale proceeds. The landlord already got screwed for back rent, should they be more screwed by adding additional burdens on them?"
They seized the drives. They now own the drives, including any data on them. Are they legally allowed to own that data? If not, they need to remove it, sharpish. And particularly not sell it on to criminals. That makes you an accessory to identity theft, and that is a criminal offence in most jurisdictions. If there's evidence it was used to commit fraud, expect extradition requests to start flying around.
-
-
Friday 21st September 2018 04:38 GMT Joe Montana
Full disk encryption?
These machines were servers, if you enable disk encryption then you have to have a way to get the decryption key onto the box...
Either you store it on the box, which defeats the purpose of encryption... Or you have to enter it in order to boot the box, which makes maintenance and recovering from failures (eg power) more difficult.
Plus, encryption incurs a performance hit, which usually isnt wanted on a production server, and will increase costs.
On the other hand, during normal operation only trusted IT staff will have physical access to these hosts, and those staff usually have administrative privileges anyway so the risk of them taking data directly from the drives is very low.
The problem here is how the assets were disposed of when the company was liquidated.
Also this happens all the time, its just that in most cases those acquiring the hardware either don't care about the data (ie they just wipe and reinstall the drives for their own use), or they do care about the data and don't want to draw attention to their nefarious activities with it.
-
Friday 21st September 2018 06:10 GMT Danny 14
Re: Full disk encryption?
thats the problem. For some people encryption is aimed at people having the physical drives rather than server and physical drives. Often people just use TPM which would do nothing in a case like this.
That also being said, just make sure you buy the admin desktop machine too. wonder if that had the keys in a file named "dont lose this file.txt" living on the desktop (TPM encrypted to the machine of course....)
-
Friday 21st September 2018 08:58 GMT Anonymous Coward
Re: Full disk encryption?
"Either you store it on the box, which defeats the purpose of encryption... Or you have to enter it in order to boot the box, which makes maintenance and recovering from failures (eg power) more difficult."
Or you store it on a separate HSM on the network, which can be used when the system boots to decrypt the needed secrets remotely.
"Plus, encryption incurs a performance hit, which usually isnt wanted on a production server, and will increase costs."
Not with today's hardware that always include AES instructions, the performance hit is negligible (or in other words, if you depended on that 5% performance gap, then your boxes all went down when you had to apply Spectre/Meltdown/Foreshadow mitigations).
-
Friday 21st September 2018 18:24 GMT JHGibson
Re: Full disk encryption?
I encrypt my laptop. Encrypting a server or even a home desktop is tricky. How easy is it to recover individual files from an encrypted backup? If your backups are not encrypted, how do you protect your backup media?
How do you make absolutely sure you do not forget the encryption key, store it in the company safe?
This is one reason why I do not want my primary credit card stored on commercial servers.
-
-
Friday 21st September 2018 05:36 GMT DougMac
How's this different than normal?
By the time a company is liquidated, anybody left there gives zero ***cks to what happens to anything left over, data, sensitive info, etc?
I've cleaned out offices with tax forms, W-2's, etc. all left behind. This is normal.
I've also bought 2nd hand filers from liquidated companies with full data still left on them. Source code, CAD drawings, records, etc. etc. Bought network gear with full configs (SNMP communities are always fun) still left on them, etc.
Not many liquidators would have the means, knowledge or time to make sure things are securely wiped, and if it has come down to the end, its doubtful anybody still left at a company does either. They are the cleanup crew, get it out, get it gone. who cares.
-
Friday 21st September 2018 08:28 GMT Peter Gathercole
Re: How's this different than normal?
Normally, kit like this is sold by the liquidator or administrator to settle debts, pay creditors (after lining their own pockets, of course, as preferred creditors).
Put the onus on them to clean the data from any kit that it sold on, and let them pass that obligation on to any disposals company that is engaged to clear a site. Make it a penalty on the liquidator to allow customer data to leak from a company they've closed down.
Will probably mean more perfectly usable kit being destroyed rather than recycled, and possibly make the IT equipment more of a liability than an asset, but perfectly doable.
-
Friday 21st September 2018 13:58 GMT Anonymous Coward
Re: How's this different than normal?
"Normally, kit like this is sold by the liquidator or administrator to settle debts, pay creditors (after lining their own pockets, of course, as preferred creditors)."
And this is where the real issue lies.
The equipment has been seized in lieu of debt.
The creditors want to recover as much of that debt as possible, so sell equipment to the highest bidder. The highest bidder, in-turn, wants to recover as much money as possible with minimal effort. Adding responsibility for the data to the process adds additional costs no one wants.
I would argue the only acceptable solution is encrypting all data at rest, so that in the event of this type of thing happening, everyone is covered, but as a non-compliant company can't pay any fines once they default, it's pointless, so we're back to arguing over how to make someone else responsible for the data when they are unlikely to have any knowledge of what they possess until they are non-compliant. Or just smash all disks and accept the (significant) additional cost given the parties involved...
-
-
Friday 21st September 2018 15:47 GMT Doctor Syntax
Re: How's this different than normal?
"Not many liquidators would have the means, knowledge or time to make sure things are securely wiped, and if it has come down to the end, its doubtful anybody still left at a company does either."
Once one of them has been hit with a big GDPR fine they'll all make the time and acquire the knowledge. Either that or send the disk for secure destruction.
-
Friday 21st September 2018 18:58 GMT Ken Hagan
Re: How's this different than normal?
"By the time a company is liquidated, anybody left there gives zero ***cks to what happens to anything left over, data, sensitive info, etc?"
That would be the wrong number of ***cks to give if it turns out that you, personally, are in the frame for a criminal conviction under data protection law. This liquidated company you speak of ... it has directors, right?
-
-
Friday 21st September 2018 06:34 GMT Anonymous Coward
QED
Yet again, disposal is the problem.
Best just have the disks crunched. Maybe that should now become a default process for any administrators handling liquidation (also gives you someone to sue later).
Heck, I must see just how much one of these disk destructors costs. I may just have business for it myself (and, let's face it, it's fun to watch :) ).
-
Friday 21st September 2018 09:18 GMT HighTension
Re: QED
Just get a 10 tonne or higher hydraulic press from a DIY/Car repair retailer. Much cheaper and essentially the same thing. Manual 10 tonne presses are probably $300-400.
They will easily crack the cases of any drive, bend the platters to hell and strip the hub from the middle. With glass platters you get a satisfying crunch and tinkle as they shatter!
-
Monday 24th September 2018 22:50 GMT katrinab
Re: QED
There are loads of companies that do this, I’ve seen one that quotes £1 per drive, and they will come out to your place with a shredder inside a van and shred the drive in front of you. Presumably there is a minimum order, so if you just wanted one drive destroyed it would cost more than £1.
-
-
-
Friday 21st September 2018 07:16 GMT Wellyboot
>>>absolutely foreseeable<<< very true.
Had this been in Europe it would be a massive breach of GDPR and all the sellers from landlord onwards would be in breach. The original company could claim 'force majeure' as an excuse because the equipment was seized, presumably at zero notice.
In the UK, court appointed baliffs do a lot of these seizures, I wonder how many are aware of their new responsibilities?
-
Friday 21st September 2018 08:17 GMT taxythingy
> Had this been in Europe it would be a massive breach of GDPR and all the sellers from landlord onwards would be in breach. The original company could claim 'force majeure' as an excuse because the equipment was seized, presumably at zero notice.
Of course, it is also **absolutely forseeable** that the company's servers might not be completely secure, given the regular data breaches, so slightly more security surrounding those databases might be considered a good thing.
-
Friday 21st September 2018 18:09 GMT Mark 85
The original company could claim 'force majeure' as an excuse because the equipment was seized, presumably at zero notice.
I'm sure they had notice.. late rent payment mails, calls, etc. Warnings from lawyers and possibly even a court involved for bankruptcy and seizing the property. To say they no notice would be a stretch.
-
-
-
Friday 21st September 2018 08:18 GMT 0laf
"Since NCIX is nothing but a corpse now, those whose privacy has been breached – any customer or employee – have little chance for any redress, we fear."
When the landlords seized the servers they became the custodians of the the data they contained and responsible for it. This is Canada which has a data protection adequacy agreement with the EU so we might find the Canadian authorities take this a lot more seriously than you think.
-
-
Friday 21st September 2018 10:27 GMT Anonymous Coward
Re: What about "Jeff"?
Jeff was worse - the landlords and their agents could justifiably claim simple negligence for their oversight, but Jeff has knowingly instigated further breaches of that data by specifically selling it on to people whose business activities he "didn't want to know about". If that data is later found to be involved perpetrating any criminal activity he could find himself being charged as an accessory to the crime. Assuming it can be traced back to him, of course.
-
-
Friday 21st September 2018 12:33 GMT Anonymous Coward
> so we might find the Canadian authorities take this a lot more seriously than you think.
No they didn't
I live here and have been using NCIX for 3 different employers for the last 10 years.
The security company that found the servers for sale reported it to the RCMP (mounties) they told him to call the Canadian Anti Fraud Center who told him they don't investigate they just record statistics of breaches and to call the RCMP.
.. they just announced they will investigate after it made the news in the US.
-
Monday 24th September 2018 16:06 GMT Alan Brown
"The security company that found the servers for sale reported it to the RCMP (mounties) they told him to call the Canadian Anti Fraud Center who told him they don't investigate they just record statistics of breaches and to call the RCMP."
Very much a case of calling the wrong people - however both groups are very likely to have their arses hauled over the coals today by the Privacy Commissioner of Canada (OPC) due to this very public fuck up.
Canadians do at least genuinely learn from such mistakes and I'd expect they should have procedures to handle such calls _properly_ by the end of the week.
-
-
-
Friday 21st September 2018 11:24 GMT WonkoTheSane
Wait for it...
I expect ex "Face of NCIX" Linus Sebastian to talk about this on his youtube channel Linus Tech Tips over the weekend.
-
Friday 21st September 2018 11:35 GMT Anonymous Coward
I once bought some s/h computers from a famous college in London via a "refurbishing" company; the HDDs were chock full of student data.
(The drives were 95% full - the performance slow down is probably why the idiots sold them off).
As far as I could tell, "refurbishing" meant using a damp cloth to wipe the dust off of the cases; as they hadnt even done a basic reformat of the HDDs.
If I had been Dr Evil, I could have re-cooped my £40 per box many times over.
-
Monday 24th September 2018 16:08 GMT Alan Brown
"I once bought some s/h computers from a famous college in London via a "refurbishing" company; the HDDs were chock full of student data."
This is why we don't let things out of our department without wiping them first. "certificates of erasure" or "data destruction" aren't worth the paper they're printed on and when the chickens come home to roost, they don't land on the recycler's doorstep.
-
-
-
Friday 21st September 2018 13:25 GMT Killfalcon
Re: Until such a time as
Same reason as always: without limited liability, starting a company is a massive gamble. I mean, it's already pretty risky, but who's going to put their time and money into a business if they can go to jail over their employees screwing up?
A friend of mine is a lawyer who works with startups, and the one thing that keeps coming up is that they've got 2-5 people involved who need to know everything. They need to know data security, sure, most of us here do that, but they need to know international shipping, hiring practices, firing practices, legal standing of unions, supplier liabilities, tax law, health insurance (stateside), health and safety, and a dozen other things, any one of which could turn out to be the reason the company fails. Ending limited liability ends entrepreneurism, and society as a whole would like there to be entrepreneurs doing things.
That's not to say there isn't room for reform, and that the protections shouldn't scale so that the heads of larger companies take progressively more risk, and career fraudsters should be shut down before their third or fourth bankruptcy... but there's a valid purpose at the core of it.
-
Friday 21st September 2018 16:02 GMT Doctor Syntax
Re: Until such a time as
"I mean, it's already pretty risky, but who's going to put their time and money into a business if they can go to jail over their employees screwing up?"
The directors remain responsible for the company being run legally. Limited liability protects against debts. It's just that TPTB are reluctant to enforce it, presumably for the reasons you suggest. They need to use their powers more often if the actions are carried out in bad faith. At present the maximum extent seems to be to disqualify a director.
-
Saturday 22nd September 2018 01:59 GMT Anonymous Coward
Re: Until such a time as
”Same reason as always: without limited liability, starting a company is a massive gamble. I mean, it's already pretty risky, but who's going to put their time and money into a business if they can go to jail over their employees screwing up?”
Sure, but the risk is also being borne by those who entrusted their data to you, who not only didn’t expect it, but who probably didn’t sign up for it in the contract. Which seems to me to be unacceptable.
-
-
Friday 21st September 2018 16:38 GMT a_yank_lurker
Re: Until such a time as
@AC - The other alternative is make the potential fines sufficient massive that they could make a significant impact on the p/l statement. GDPR does this as up to 4% of a companies gross world wide revenue would get noticed as it could either wipe an annual profit or significantly lower it. Both would get investors attention who just might add to the misery by suing for 'failure of fiduciary trust'.
-
Friday 21st September 2018 18:52 GMT Anonymous Coward
Re: Until such a time as
"GDPR does this as up to 4% of a companies gross world wide revenue would get noticed as it could either wipe an annual profit or significantly lower it"
Is this responsibility - and potential consequence for failure - inherited by the receiver / liquidator who takes control of a firm and/or any assets? [If not, why not? It doesn't stop being PII, after all]
-
-
-
Friday 21st September 2018 21:54 GMT The Oncoming Scorn
To Add Insult To Injury
A few of my colleagues used them in the past, I don't think I ever did due to being only here in the last 10 years.
One of my colleagues has just been shown in one of the screen grabs posted on-line - To say he's not a happy bunny (ever) is a understatement at the current moment.
-
Friday 21st September 2018 22:51 GMT Anonymous Coward
RCMP does what?
They are (or were) an NCIX customer. Hence an investigation. (You can google rcmp & NCIX for the link).
So they are just looking after their own interests.
Disclosure of PII is not against the law here in upper Canuckistan. But using PII fraudulently is. Or used to be. You have to steal $millions before they will pay any attention.
-
Monday 24th September 2018 16:12 GMT Alan Brown
Re: RCMP does what?
"Disclosure of PII is not against the law here in upper Canuckistan."
Yes and no. Thanks to the GDPR equivalency treaties Upper Canuckistan has signed with the EU, if any european residents/citizens are included in that lot then they are and for any sample greater than 1 the chances are fairly good there will be a few.
-
-
Monday 24th September 2018 20:44 GMT Mattknz1
secure disposal.
At the request of a customer I employed secure disposal services of a prominent company here in NZ, paying quite a pretty price. Shipped off a mid-size SAN and promptly received a call asking if they could 'recycle' and not dispose of said device.
I received a 'certificate of disposal' however i'm moderately sure they double charged this device into the hands of a 3rd party.