CBC Investigates

Proposed class action lawsuit claims data breach exposed personal information of 258,000 people

A Vancouver software engineer has launched a proposed class action lawsuit in the wake of an alleged data breach involving personal information belonging to former customers of bankrupt computer retailer NCIX.

Civil claim says bankrupt computer retailer NCIX failed to properly encrypt information

A Vancouver software engineer has launched a proposed class action lawsuit against former computer retailer NCIX in relation to an alleged privacy breach. ( Jonathan Hayward/Canadian Press)

A Vancouver software engineer has launched a proposed class action lawsuit in the wake of an alleged data breach involving personal information belonging to former customers of bankrupt computer retailer NCIX.

In a notice of civil claim filed in B.C. Supreme Court, Kipling Warner says he gave the company his name and address along with his debit and credit card details in the course of purchasing computer products.

He's seeking to certify a lawsuit against NCIX and the company tasked with auctioning off the computer firm's old equipment.

Warner claims NCIX failed to properly encrypt the information of at least 258,000 people. And he claims the auctioneer failed to take "appropriate steps to protect the private information on its premises."

His lawyer, David Klein, told CBC that customers dealing with a technology company would expect anyone who comes into contact with their information to take steps to ensure confidentiality.

"Not only did they fail to take steps to protect the privacy," he said. "It looks like some of the lists may have been sold to criminals who will exploit the credit card information and very likely engage in identity theft of NCIX customers."

A man named 'Jeff'

NCIX was a B.C.-based online computer hardware and software retailer.

The company, officially known as Netlink Computer Inc., had retail outlets in the Lower Mainland as well as Markham, Mississauga, Scarborough and Ottawa before filing for bankruptcy last year. 

The lawsuit follows questions which began circulating last week with a post on cybersecurity website PrivacyFly.

In a post on cybersecurity website PrivacyFly, Travis Doering claimed a man named 'Jeff' offered to sell him private information from old NCIX servers. (CBC/Tristan LeRudulier)

The author, Travis Doering, said he arranged to meet a man named 'Jeff' who claimed on Craigslist to be selling old NCIX hardware.

Doering said 'Jeff' offered information from offline backup servers on millions of transactions. He claimed to have seen detailed financial information about customers and the personal tax details of former NCIX employees.

Richmond RCMP opened an investigation into the alleged data breach last Friday as a result of those allegations.

'Private information was stored unsecured'

According to the proposed class action lawsuit, a trustee was appointed to take possession and make an inventory of all NCIX's property last December.

The court documents claim NCIX collected and retained "more information than was necessary and for longer than necessary concerning its customers" while it was a going concern.

The proposed class action lawsuit says private information belonging to former NCIX customers was being offered for sale over Craigslist. (Andrew Lupton/CBC)

Warner says NCIX failed to encrypt and secure the information before handing control of its business to the trustee.

The lawsuit claims the trustee contracted the auctioneer to dispose of the property — including servers — from NCIX's estate through a series of sales, which were open to the public.

"During the sales, private information was stored unsecured on (the auction company's) premises," the lawsuit reads.

"Members of the public were able to see, manipulate and take away the private information or copies of it."

'Wasted time, frustration and anxiety'

Warner is suing NCIX and the auction company for negligence and alleged breaches of both B.C.'s Personal Information Protection Act (PIPA) and the federal Personal Information Protection and Electronic Documents Act (PIPEDA).

He says customers had no notice their private information was being either sold or transferred. And he claims both the trustee and the auctioneer should have had comprehensive policies in place to protect data.

The provincial privacy act says organizations doing business in British Columbia have a duty to protect the personal information entrusted to them.

The federal regulation says personal information that is "no longer required to fulfil the identified purposes should be destroyed, erased or made anonymous."

The proposed class action lawsuit says millions of customers could be affected.

Warner is suing for loss including damage to credit reputation, mental distress, "wasted time, frustration and anxiety" and time lost "engaging in precautionary communication" with banks, credit agencies and credit card companies.

"It is a massive data breach," said Klein. "There's no total amount that's stipulated in the claim. Everyone who was a customer will have to take steps to ensure their credit card information isn't stolen. There is the cost, the inconvenience and the worry."

The trustee for NCIX did not return calls for comment.

A representative for the auctioneer told CBC the company had only just learned of the lawsuit and was consulting with lawyers.

None of the allegations have been proven in court.

With files from Belle Puri and Joan Marshall

About the Author

Jason Proctor

@proctor_jason

Jason Proctor is a reporter in British Columbia for CBC News and has covered the B.C. courts and mental health issues in the justice system extensively.