 So a little background here. NCIX is a company that sold a lot of computer parts Made somewhat famous by Linus Sebastian of Linus Media Group Linus Tech Tips And if you have been on YouTube at all, you know who Linus is if you're in a computer world He started there and he recently did a video and within I think a couple months ago about their auction and their bankruptcy and them falling apart This is where things go off the rails though, and this is a company called privacy fly The privacy fly is a boutique cybersecurity firm based in Vancouver now. I found this very interesting and Also very disturbing with all these data breaches So if you didn't hear recently new egg had an incident with a data breach so they're obviously a really big computer retailer and This is titled as a data breach, but it's a little bit different than that And it's actually maybe a little bit worse in some ways So I don't know much about this privacy fly company and all other than what I just read here They don't really seem to have a ton of information other than being a cybersecurity boutique. I've seen that term I I think there's a lot of weird brand that goes around cybersecurity So they're a cybersecurity boutique apparently if I read that properly here. So anyways The really interesting is this entire write-up about this. Of course, I'll leave a link in the article to this here Data broker a title you likely associate with two common scenarios The first being legal companies that focus on collecting collating analyzing data is commonly used for insights I'm making data driven behavior change the second scenario is the illegal sale of data, and that's what we're dealing with here So it's titled data breach, but let's get to this this is and very interesting story of Someone posting for sale, and I believe was on Craigslist. I think I have a cash copy of the ad Well, it looks like the ads are all dead now, but they were up the other day So here is the reddit post which I can also leave link where there's a big discussion going on about the entire NCX data breach But this was all started as a Craigslist ad then it goes a little bit deeper so this person writes the entire story of they go in through and Contacted this person off of Craigslist that saying that this was for sale all the data not just the servers We're not talking about the servers for sale a lot of those went for auction and what this person did was provide Lots of details in here to prove that they had the data not just these pictures here But they had the customer data the client data personal files of the CEO of the company and many other people It says mr. Wu's computer featured personal documents and images is fairly mixed with numerous private photos of high-end escorts from mainland China So very personal information, and this is Canadian so they're referred to as I believe T Sin it says similar to the social security numbers we have here in America but this is very concerning because None of this data was Encrypted very well, so we now question the security practices over at NCX They had apparently all these people's credit card numbers. They had all kinds of this information just in these databases and The story gets a little bit weird too, and this is the part that I don't know how true any of this is and this is all very subjective We know the data is there. It's the acquisition of the data wasn't exactly from The auction it sounds like at least with the person selling it who they only identify as Jeff No real details about it who rented a non-descript office building to broker the sale and had many people purchasing it so they were selling copies of this to people and Jeff's claim was to be from a company that NCX had owed money to and they were in possession of their servers So they were selling their intellectual property and their customer lists in order to make money and the security researcher posed as a competing IT company that wanted to buy this data and they was negotiating a deal So he breaks down all the little details in here, but this really comes down to something that's unfortunate for the general public But anyone who's worked in IT for any length of time, especially in a position. We are This is Waiting to happen all over the place. There is so many unencrypted hard drives unencrypted databases And as a IT person, we really push for it We encrypt ourselves that is you know if you have watched any of my previous videos. We've talked about it We encrypt all of our servers we encrypt all the data if you power them off They require a password to come back on the hard drives require a password We're using the encryption on our free NASA data storage system for everything Because if you encrypt everything you don't have to worry about some encrypted some not we just encrypt everything I require a password to turn on even my computer my hard drives encrypted my data drive that holds all the videos that are Record for YouTube is encrypted. Why in case I see something there that maybe should be encrypted. I don't have to ever worry about it I just know that I encrypt every piece of my Life and it makes life a little bit You know a little bit if something happens you're a little bit less worried about it And this is clearly not the case for them and it's I gotta admit this is really hard They've been in business for a long time before they went bankrupt And when you start with unencrypted from the beginning it's really hard to go back later because you're like I gotta reset this drive up, but I built it unencrypted and now I got to go back and set it up Yes, you do and we see this with small businesses all the time that have no encryption with any of their Equipment as well and it sounds like the passwords are really weak the few passwords They did have and they also and this goes back to another place that we make sure we encrypt But they didn't they backed up and have images of lots of hard drives of lots of the computers So the images were unencrypted, which of course made them easy to acquire Because once you can get around it real quick I cool I was able to get around this and I'm not talking about passwords for Windows I'm talking about proper disk encryption needs to be done so It does have a little bottom note for press if you choose to write an article based information You're welcome to reuse any content from a circle, please mention the source in which I am I'm gonna leave a link to them here, so it's not too in-depth I'll let you read through this himself and he just walks you the story of going back and forth with the person and just how kind of Disturbing this was I Find it very interesting, but I probably think this goes on Way more than people even realize, you know People saying well, we should hold the PCI compliance people You know because they probably passed this company's PCI compliance and never should have I I have mixed feelings I get the purpose of PCI compliance and unfortunately many of the companies that were breached previously were Followed the check boxes PCI compliance is very bureaucratic and not always pushed for security and unfortunately it gets worse in a small business market because they support PCI compliance by Letting the owner of the business say yes, I don't do these things check some boxes do an external scan and Pass compliance it goes very very Not in-depth I should say or not really well-practiced and it's always a balance in business of how much time do I spend Encrypting and how much is my risk a lot of companies roll the dice especially in a small business market going you know How much would cost to redo our infrastructure to put it encrypted? We've built it for the last 15 years with these databases without encryption So we just kind of continue to do that way which is not right and it needs to be thought and the only way This is really going to change is For some of these companies to be more held their feet to the fire when this type of thing occurs But this is pretty big if you have any data in NCX, I never bought anything from them So I hopefully I'm not in this database somewhere I Don't know whether or not this will be used to try to fraud the credit cards that they had on file or not But wow, there's a lot of things in here. I mean look at all these disk images. They have Listing all the different servers and things like that. So there's it is the entirety of their data and Just if you can encourage your clients to encrypt or encrypt yourself Definitely go for it save yourselves some trouble on this and for those of you wondering yes We encrypt everything I built it that way. I you know came from security minded background where I encrypted things You know, this is it's been from the beginning. So I've been doing it But wow it's really scary when you see some of these companies going wow They never did and this was a especially because this was a tech company. This wasn't some company should have known better But I'll leave this here. I'll make sure to finish reading I'll leave the link because there's a lot of discussion on the Reddit forum here with sysadmin and just talking about some of the back-and-forth about it And so it's a mess. It's a mess for sure There's a lot of bad security practices in here So lots of reading lots to think about and hopefully you can be the catalyst for change at your company or Wherever position you are and hopefully keep this from happening again. Thanks Thanks for watching if you liked this video go ahead and click the thumbs up Leave us some feedback below to let us know any details what you like and didn't like as well because we love hearing a feedback Or if you just want to say thanks leave a comment If you wanted to be notified of new videos as they come out go ahead and subscribe and a bell icon that lets YouTube know That you're interested in notifications. Hopefully they send them as we've learned with YouTube Anyways, if you want to contract us for consulting services You go ahead and hit Lawrence systems calm and you can reach out to us for all the projects that we can do and help you We work with a lot of small businesses it companies even some large companies and you can farm different work out to us Or just hire us as a consultant to help design your network Also, if you want to help the channel in other ways, we have a patreon We have affiliate links. You'll find them in the description You'll also find recommendations to other affiliate links and things you can sign up for on Lawrence systems calm once again Thanks for watching and I'll see you in the next video