A story recently began circulating about a situation in which it appears that NCIX’s customer and credit card data is being made available for sale. It reminded me of my experience when a friend and I visited NCIX‘s warehouse during their bankruptcy auction preview on February 21, 2018.
- There were many boxes full of paper with confidential data left available for inspection. I saw supplier invoices, telephone bills with call records, and a variety of personal data in plain view. Even NCIX customers’ credit applications were visible. As a long-time NCIX customer, it seems likely that some of my data was included in the data that was left exposed. Some of these boxes had big signs on them indicating that the boxes should be shredded.
- The warehouse floor had computers that remained unsecured and logged in to their CRM/ERP system. Anybody was free to use the computers to access any of the data in the system. When I came across one of them, it was displaying the information associated with an order that NCIX sold to a customer via eBay.
- The server room had a sign which stated: “Server room. Not part of the sale. Please do not enter. The Bowra Group“.
Why would Able Auctions leave the boxes with the large “shred me” signs on them available for inspection?
It’s been documented for many years that used data processing equipment sold on eBay is purchased by people who intend to profit by exploiting the data that is frequently left intact. The data on a used hard drive from a computer or a photocopier is often worth more than the equipment itself.
I don’t know the degree to which Able Auctions is aware of this phenomenon. All I know is that they hold themselves out as auction experts. Their compensation is strongly tied to finding the most profitable way of marketing assets for liquidation. Knowing the factors which influence an item’s value is a critical part of that process.
While I was at the auction preview, I expressed my concerns about private data being exposed to more than one Able Auctions staff member. They did not seem especially surprised, shocked, alarmed, or otherwise concerned. At least one staff member even seemed a bit annoyed with me. They also didn’t take any steps to secure the data on the warehouse floor. When I returned to the auction the following day, the data remained available to anyone and everyone who made the mistake of looking in the wrong direction.
The processes of both The Bowra Group (the bankruptcy trustee) and Able Auctions clearly don’t include commercially reasonable steps to protect people’s personally identifiable information. People’s credit applications should not have been visible to me. Somebody knew enough to label boxes for destruction — why weren’t they empowered to follow through by hiring a shredding company?
The cynical interpretation is that during this bankruptcy, strategic choices were made to signal to observers that data protection was not taken seriously. In a world where there exists a market for other people’s data, it’s sadly possible that this is a revenue-maximizing strategy.
The more charitable interpretation seems to be that the administrators of the bankruptcy process are unaware of these issues, don’t care, don’t think it’s their problem, or don’t think they are paid to worry about these sorts of things.
I’m incredulous that a liquidator in 2018 would not be aware of data’s value. I’m similarly incredulous that they would decide to undertake a process that leads to people’s data being sold without consent.
[Update: Looks like Linus of Linus Tech Tips published a video on March 7 which shows some of the customer data that was left unsecured. Additional data was also lying around elsewhere.]