British Columbia·CBC Investigates

RCMP and privacy commissioner probe alleged NCIX data breach

B.C.'s privacy commissioner is investigating an alleged privacy breach involving the bankrupt computer retailer NCIX.

Questions raised after ads appear offering old computer database equipment for sale

a hand hovers over a computer keyboard
Authorities are investigating a claim that NCIX's database servers have been advertised online with all of the information still intact. (Getty Images)

The RCMP and Office of the Information and Privacy Commissioner of British Columbia are investigating allegations of a possible data breach involving the bankrupt computer retailer NCIX.

Authorities are investigating a claim that NCIX's database servers have been advertised for sale online with all of the information still intact.

In doing so, it may have compromised the security of countless customers. 

According to a statement from Richmond RCMP, the case was opened Thursday and police have seized the servers.

The investigations began after a feature article appeared on a cybersecurity website called PrivacyFly this week..

The piece detailed how the author arranged to meet a man who was selling computer hardware he advertised as being from the now defunct company NCIX. 

NCIX computers for sale

The author Travis Doering is a systems analyst who says he noticed a Craigslist ad listing NCIX  computers for sale.

Doering says he arranged to meet the seller, a man who called himself Jeff, in a warehouse in Richmond.  He says he was stunned when the man offered the information from offline backup servers on millions of transactions.

"Every record for more than 10 years was there."

Travis Doering examines documents of private information, which he says he copied off NCIX computer servers that are being sold. (CBC/Tristan LeRudulier)

He says he saw personal data of customers, including addresses, phone numbers.and financial information.

"Credit card information was there in plain text with numbers, CVVs [Card Verification Value] and expiry dates," Doering said.

He also saw personal income tax information about employees such as T4 statements. He showed some of the statements to CBC News.

CBC has reached out to former NCIX employees but has not heard back.

Computer experts say they don't understand how this information would not have been encrypted. 

Graham Wiliams says he is surprised by the potential size of the alleged privacy breach. (CBC/Tristan LeRudulier)

Technical expert Graham Williams says he was shocked at reports of the breach and worries how much information may be out there.

"Looking at other breaches of Canadian retailers, we haven't seen this scope of information of user data, this amount of unencrypted data."

NCIX was a British Columbia-based computer seller that filed bankruptcy papers on Dec. 1, 2017.

The retailer closed its outlets in both Vancouver and Richmond.

On Friday, the office of the privacy commissioner refused to reveal the scope of the investigation. 

WIth files from Belle Puri


Joan Marshall is a senior producer for CBC News, based in Vancouver.